All posts by Michael Stoop

Michael Stoop is the president of Metropolitan Risk Advisory. He leads a team of smart & proactive risk advisors whose acumen and protocols yield a substantive outcome for their customers. The goal is to achieve a cost efficiency and cost consistency that better positions them for growth and continuity in their native markets. Michael has been in the industry for over 20 years.
HR Challenges, OSHA, Other, Risk Management

COVID-19 Resource Guide for Employers

For our clients and the curious here is a great resource guide as you seek to build out your own programs and responses to the COVID 19 pandemic. We have been fielding a great many calls from companies looking to get ahead of this issue. We thought we would aggregate the information that is the most beneficial for valued stakeholders. Coronavirus (COVID-19) is an emerging challenge across the world for employers. We’ve gathered some materials to help you stay on top of employee concerns. Check here frequently for updates.

CDC Materials

In response to the COVID-19 outbreak, the U.S. Centers for Disease Control and Prevention (CDC) has issued:

The CDC has also created the following posters for download:

Keep up to date on CDC guidance for specific industries, latest updates, and resources on the Coronavirus Disease 2019 (COVID-19) main page.

DOL Materials

The U.S. Department of Labor (DOL) has created a resource page for workers and employers. The DOL’s Wage and Hour Division has posted these posters and guidance:

EEOC Materials

The U.S. Equal Employment Opportunity Commission (EEOC) has created a landing page entitled What You Should Know About the ADA, the Rehabilitation Act, and COVID-19, which provides links to resources and guidance.

HHS Materials

In response to COVID-19, the Office of Civil Rights for the U.S. Department of Health and Human Services (HHS) issued a bulletin regarding HIPAA Privacy and COVID-19.

OSHA Materials

The U.S. Occupational Safety and Health Administration (OSHA) has created a COVID-19 website for workers and employers that addresses the disease and provides guidance and other resources for preventing exposure to and infection with the virus.

Topics covered include:

OSHA has also issued the publication Guidance on Preparing Workplaces for COVID-19.

NCCI Materials

Covid-19 and Workers’ Compensation: What You Need To Know

Small Business Administration Materials

The U.S. Small Business Administration has issued guidance entitled SBA Disaster Assistance in Response to the Coronavirus, explaining how the SBA is offering designated states and territories low-interest federal disaster loans for working capital to small businesses suffering substantial economic injury as a result of the coronavirus. Also see Coronavirus (COVID-19): Small Business Guidance & Loan Resources.

ThinkHR Materials

New York State Guidelines

Department of Health

Department of Labor

Office of the Attorney General

HR Challenges

What Are The Employer Posting Requirements for NY State

A frequent question we get from NY State employers are what are the employer posting requirements for NY State. It’s important to update your employer postings, especially since the New York State Department of Labor is requiring a poster placed in a high trafficked area explaining and giving direction on your Sexual Harassment policy. For more information on the new Sexual Harassment policy for both New York City & New York State CLICK HERE.

Since we are updating our poster requirements here is the latest and greatest if you are a company located in New York State or have an office/employees employed in NY State. These are both the NY State & Federal posting requirements contingent on your industry. This posting is as of 10/5/2018.

New York Posting Requirements as of 10/5/2018 (Updated 5/19/2020):

Click here for the updated link to the posters. New York employers should display the following state posters in the workplace, in addition to the required federal posters:

New York State Department of Labor
Registration Subsection
State Office Building Campus
Albany, NY 12240-0339
Phone: (518) 485-8589
Fax: (518) 485-8010

 

These posters, as well as those required under federal law, are available for download from the New York Department of Labor.

Additional Employer Posting Requirements for New York State

Child Labor Laws

Employers must make a schedule for all minors employed by the employer and post it in a conspicuous place. The schedule sets forth the hours’ minors start and end work and time allotted for meals. The hours of work can be changed, as long as the changes are posted on the schedule. Minors may work only on the days and at the times posted on the schedule. If minors are present at other times or if no schedule is posted, it is a violation of the Child Labor Law.

Public Works/Prevailing Wage Rates

The current Prevailing Rate Schedule notice must be:

  • Posted in a prominent and accessible place on the site of the public work project.
  • Encased in, or constructed of, materials capable of withstanding adverse weather conditions.
  • Titled “PREVAILING RATE OF WAGES” in letters no smaller than 2 x 2 inches.

Local Jurisdictions

Important: Local jurisdictions in New York may have additional posting requirements. Employers should contact their particular local jurisdiction for specifics.

Some commonly requested posters for New York City employers include:

These are just some of the employer posting requirements for New York State

HR Challenges, Risk Management

Resuming Business Operations During Covid-19

Foremost on most organization’s agenda is how do we resume operations in a COVID-19 world? Candidly it’s a bit complicated contingent on a great many factors. Here’s a very short list of some contingencies.

What does your operation look like; what do you do?  What does your service plant or office look like? How is it structured. Lastly, what’s your workflow & staffing levels to execute? Can you stagger staffing locations to create separation?   This shortlist of considerations to take to maximize the safety of your employees and customers.

At Metropolitan Risk part of our business model is to engage and vet high-quality partners that bring a risk mitigation skill set that our clients can leverage. Purchasing insurance is just another way to finance risk. The real magic and cost reductions happen when you marry the science & art of risk management with risk financing. Through the years we found our risk management recommendations weren’t always followed through because our clients lacked a network of these highly skilled individuals and firms by discipline.  Thus we thought we would make it easier for our clients to engage the necessary resources.

For purposes of today’s article, we partnered with Rich Landau of Jackson & Lewis. One of the preeminent employee law firms in the country. Rich was kind enough to share a LIST of things to consider as we begin to emerge from our COVID-19 induced stasis. Understand that this list is long and does not apply universally to every business. Think of this list as a general idea of what to consider as you make your own list to re-open.

 

Click here to download the list of suggestions to resume the operations of your organization in a COVID-19 world. 


For those of you who are Metropolitan Risk clients, we encourage you to speak to your Risk Advisor for assistance on how to build your own list. 

Claims Management, Cyber Liability Insurance, Loss Control, Practice Groups, Risk Management

Disturbing Hacking Trends

Security experts commonly say that there are only two types of companies these days. There’s companies that have been hacked, and those that don’t yet know that they’ve been hacked. Here are some important hacking trends given by a statistical study.

Verizon’s 2020 Data Breach Investigations Report counted 3,950 CONFIRMED data breaches last year in addition to more than 32,000 “security incidents.”

Victims spanned a wide range of 16 industries with these 4 having the largest number of cases:

  • Professional Services – 7,500 incidents, 325 breaches
  • Public Administration – 6,850 incidents, 350 breaches
  • Information – 5,500 incidents, 360 breaches
  • Financial/Insurance – 1,500 incidents, 450 breaches

*Totals slightly off due to rounding

 

Any business that operates online is at potential risk of suffering a data breach. Doesn’t matter how small your business is either.

According to Verizon’s report more than 3 out of 4 breaches are done by profit-minded criminals for financial gain. 

Other alarming stats:

  • Only 30% of data breaches were the work of insiders.
  • 86% of data breaches occur due to financial profit of hackers
  • Also, 58% of victims had personal information compromised
  • In 17% Verizon said the attackers installed malicious software on the victim’s systems, whereas the more common tools are spear phishing, ransomware, or business email compromise.
  • In 22 percent of breaches, the attackers leveraged social tactics, such as spear phishing, in which a tailored e-mail to the victim purports to come from a friend or business contact. The e-mails contain malicious links or attachments that, when clicked, give the attacker a foothold in the victim’s computer network. See below image for an example of what NOT to click.

Photo from Wikimedia Commons

The good news? The Verizon report highlighted the lag between the breach and the time of breach realization. This year, companies and external third-party software experts were able to improve that time. 81% of the time, it takes only days to contain a breach. Compare this to years past, where it is months, maybe even a year. In previous yearly reports, Verizon sates things like “The compromise-to-discovery timeline continues to show in months and even years, as opposed to hours and days.” No longer is this trend true. Don’t be another cog in one of the larger hacking trends currently ongoing. Click the link below or call 914-357-8444 today.

Click here for advice on preventing hacking theft or if you are still interested in a crime policy to protect your assets.

Construction Practice Group Content, Food & Beverage Practice Group Content, General Liability Insurance, Human Services Practice Group Content, Risk Management, Transportation Practice Group Content, Workers Compensation Insurance

7 Common Insurance Errors Businesses Make

We recently left a meeting with one of the largest construction companies in the country, whose sales are north of a billion dollars annually. The first comment my counterpart made was, “I cannot believe how poor their systems are…” I turned to him and gave him one of my favorite lines because it still rings true to me on a daily basis, “I’m always amazed, never surprised.” Universally, whether you are a billion dollar construction company, a small manufacturer, a non-profit, or a healthcare company, these are the flaws we see in (over 98%) the companies we are invited into. Here are 7 insurance errors commonly made by any and all types of companies.

1. Wrong Goal: 

Most companies set a goal of lowering their insurance spending every year. They see it as a tax. It’s an expense that doesn’t generate value. We suggest this goal is incorrect. Your claims history and risk-based costs drive your insurance costs; not your broker or the insurance carriers. 80% of an organizations costs are outside the cost of the insurance. Furthermore, the cost of your insurance program tends to be a lagging indicator, reset only once a year. Measuring, preventing, and managing your claims and claims-related costs should be the goal, not lowering your insurance cost. If you can demonstrate to the insurance marketplace that your company is historically profitable (claims to premium ratio) then you will have carriers competing for your business, which will, in turn, lower your costs.

Wrong Goal

2. Insufficient Resources for the Goal:

The best companies at least have a safety budget. Many, sadly, don’t even have that. If you want your arms around your biggest cost drivers, you need to dedicate resources towards the solution. We suggest that you start by setting a Risk Budget, not just a safety budget. It’s helpful if you know how much money you’re leaking due to claims. Having this Risk/Reward context will help you sell your budget number to management. Moreover, if you have solid systems (see 4), you can leverage those systems to bring in other resources in a cost-efficient fashion. This allows you to stretch the budget.

Most companies don’t leverage their carrier relationships or their brokers for resources to help them with their cost drivers. Even when they do, it’s too inconsistent to have much impact. Staffing at most organizations is thin at best, whereby a single staff person is also delegated the risk responsibilities on top of all the other hats they wear.

3. Improper to Absolutely No Data:

When we ask prospective clients how they determine success or failure in their insurance program, they almost always tell us insurance premiums. Again, this is flawed. Premiums by themselves indicate nothing and often are also a false read. Instead, premiums should be converted to a rate per sales, payroll, or vehicle. Also, the insurance contracts themselves might exclude or include more risk which swings costs. Our main point is that companies do not have the proper data to reveal their true cost drivers, hot spots, or success spots in an organization. They can’t benchmark themselves over a year’s time. They can’t benchmark supervisory employees, departments, or locations, nor can they tell you what their ROI is on their safety investment. Or they can’t build compensation incentives around the companies cost savings goals.

Without the proper data it’s nearly impossible to change culture, results, or fix cost drivers that you haven’t even identified. Imagine being a doctor trying to diagnose a patient without running tests, looking at charts, and being able to benchmark vitals. Most companies lack this critical ability to gain insight, let alone the ability to select the correct treatment option.

4. Little Strategy:

Here’s a hint, shopping your insurance with 3 competing brokers is not a sound strategy. Yes, it may have worked for you a few times, but, it’s like shooting foul shots backwards. You may get lucky, but it’s not consistently sustainable. If you set the proper goal, you can then test the marketplace with your (1)broker who can (and will) get you competitive pricing. Set your strategy on controlling and lowering your main cost drivers, your insurance costs will follow.

5. Systems:

The best of these companies use spreadsheets to capture data, and then exchange insights via email. Most don’t even have the spreadsheets! If you have a solid system as a nucleus, you can then build both process and staff around this core system. Further you can leverage the system to hire outside specialties to address thorny issues. In absence of a strong core system, it’s very difficult to get a sustained, consistent effort bent towards solving your most vexing claims issues.

 

6. Lack of Process/Protocol:

There is so much low-hanging fruit that costs so little when it comes to managing claims cost drivers, most of which is just knowing the proper protocol when “x” occurs. Then, it’s all about communicating that protocol organization-wide, with a proper system in place to build in accountability, so it becomes natural.

Note: Having a task list is not a system. Closing the execution loop, holding people accountable, is a system. The loop is closed through a random audit process.

7. Price vs Cost:

This is a big one. Too often, we see companies focus on the price of the insurance against the long term costs. Nothing is more expensive than a cheap insurance contract. You finance your risk with operating cash flows, reserves or worse… loans. Contrary to popular belief the correct answer is not insurance. If you had the correct data, contained within a system, then you would understand the real cost drivers in your organization so you can then attack them strategically. That takes too much work, so folks just look at the premium, write the check and hope for the best.

Here’s the good news (sarcasm). There is a new class of competitor coming to your space that understands these seven points and are executing them with ambitious zeal. They understand that to truly lower their unit cost structure they need to look at their cost of risk rather than the price of their insurance. Having this ability is truly an overwhelming marketplace advantage as they will be cost efficient and cost consistent year in and year out. You will know them by their tale tell signs, high growth, more market share, lower costs and higher profits.

Wash, rinse, repeat.

Construction Practice Group Content, Food & Beverage Practice Group Content, HR Challenges, Human Services Practice Group Content, Loss Control, Practice Groups, Risk Financing, Transportation Practice Group Content

A Small Business’ Guide To The CARES Act

On Friday, March 25, 2020, the US Senate passed the CoronaVirus Aid, Relief and Economic Security Act (CARES Act), to help provide financial relief to the people and business of America. This bill is a $2 Trillion dollar relief in response to the economic fallout from the fast-developing Coronavirus pandemic. The CARES Act is meant to provide direct financial aid to American families, payroll and operating expense support for small business and loan assistance for industries affected by the pandemic. Here is a breakdown of some of the topics the CARES Act covers:

What is the Paycheck Protection Program?

The Paycheck Protection Program, one of the largest sections of the CARES Act, is the most important provision in the new stimulus bill for most small businesses. This new program sets aside $350 billion in government-backed loans, and it is modeled after the existing SBA 7(a) loan program many businesses already know.

Who Qualifies for the Paycheck Protection Program?

This program was created as an incentive for small businesses with fewer than 500 employees and select businesses with 1,500 employees to maintain payroll through June and expands the SBA network so that more banks, credit unions, and lenders can issue those loans. The goal is for small businesses to no lay off workers and rehire laid-off workers that lost jobs due to COVID-19 disruptions.

What Is The Maximum Loan Amount A Business Can Recieve Though The Paycheck Protection Program?

The maximum loan amount under the Paycheck Protection Act is $10 million, with an interest rate no higher than 4%. No personal guarantee or collateral is required for the loan. The lenders are expected to defer fees, principal and interest for no less than six months and no more than one year.

What Can These Funds Be Used For?

Businesses can use funds from the Program loans to cover expenses including:

  • Payroll costs, including compensation to employees; payments for vacation, parental, family, medical or sick leave; severance payments; payments required for group health care benefits (including insurance premiums), retirement benefits, and state and local employment taxes
  • Interest payments on any mortgage obligations or other debt obligations incurred before February 15, 2020 (but not any payments or prepayments of principal)
  • Rent
  • Utilities

However, the money cannot be used for compensation of individual employees, independent contractors, or sole proprietors in excess of an annual salary of $100,000; compensation of employees with a principal place of residence outside the United States; or leave wages already covered by the Families First Coronavirus Response Act.

How Are Loans Made Under The Paycheck Protection Program Different From Traditional 7(a) Loans?

Unlike traditional SBA 7(a) loans, no personal guarantee will be required to receive funds and no collateral needs to be pledged. Similarly, the CARES Act waives the requirement that a business shows that it cannot obtain credit elsewhere. In lieu of these requirements, borrowers must certify that the loan is necessary due to the uncertainty of current economic conditions; that they will use the funds to retain workers, maintain payroll, or make lease, mortgage, and utility payments; and that they are not receiving duplicative funds for the same uses.

The SBA will not collect any yearly or guarantee fees for the loan and all prepayment penalties are waived. Payment of principal, interest, and fees will be deferred for at yeast6months but not more than a year.

The SBA has no recourse against any borrower for non-payment of the loan, except where the borrower has used the loan proceeds for a non-allowable purpose.

What Are The Loan Forgiveness Requirements?

Borrowers are eligible for loan forgiveness for 8 weeks commencing from the origination date of the loan of payroll costs and rent payments, utility payments, or mortgage interest payments. Eligible payroll costs do not include annual compensation greater than $100,000 for individual employees.

The amount of loan forgiveness may be reduced if the employer reduces the number of employees as compared to the prior year, or if the employer reduces the pay of any employee by more than 25% as of the last calendar quarter. Employers who re-hire workers previously laid off as a result of the COVID-19 crisis will not be penalized for having a reduced payroll for the beginning of the relevant period. Forgiveness may also include additional wages paid to tipped workers.

Borrowers must apply for loan forgiveness to their lenders by submitting required documentation (as discussed in further detail below) and will receive a decision within 60 days.

If a balance remains after the borrower receives loan forgiveness, the outstanding loan will have a maximum maturity date of 10 years after the application for loan forgiveness.

How Does A Business Apply For A Loan Under the Paycheck Protection Program?

We expect additional guidance from the SBA regarding how to apply for Program loans, including additional resources on the SBA website about how to find a qualified lender. Borrowers who have outstanding SBA loans may also want to contact their existing lenders to inquire about applying for loans under the Program.

Is Relief Available For Businesses With Pre-existing SBA Loans?

Yes. The SBA will pay the principal, interest, and associated fees on certain pre-existing SBA loans for 6 months.

Does the CARES Act Affect Any Other Loans Available To Small Businesses?

Yes. The maximum loan amount for an Express Loan is increased from $350,000 to $1 million.

The CARES Act also expands eligibility for borrowers applying for an Emergency Economic Injury Disaster Loan (EIDL) grant. Under the Act, emergency EIDLs are available for businesses or cooperatives with fewer than 500 employees, sole proprietors or independent contractors, or Employee Stock Ownership Plans (ESOPs) with fewer than 500 employees. Additionally, the Act waives requirements that (1) the borrower provide a personal guarantee for loans up to $200,000, (2) that the eligible business be in operation for one year prior to the disaster, and (3) that the borrower be unable to obtain credit elsewhere. The SBA is also empowered to approve applicants for small-dollar loans solely on the basis of their credit score or “alternative appropriate methods to determine an applicant’s ability to repay.”

Most significantly for borrowers seeking an immediate influx of funds, borrowers may receive a $10,000 emergency advance within three days after applying for an EIDL grant. If the application is denied, the applicant is not required to repay the $10,000 advance. Emergency advance funds can be used for payroll costs, increased material costs, rent or mortgage payments, or for repaying obligations that cannot be met due to revenue losses.

Borrowers may apply for an EIDL grant in addition to a loan under the Paycheck Protection Program, provided the loans are not used for the same purpose. If a borrower received a loan under 7(b)(2) after January 31, 2020, the borrower may refinance the outstanding balance as part of a loan under the Program.

For more resources on the CARES Act:

Other

Applying For A Small Business Administration Loan?

I don’t know any business in the tristate metropolitan region that has not been impacted by COVID-19. For those looking to shore up their balance sheets here’s a quick primer on applying for a small business administration loan courtesy of our accountants Citrin/Cooperman. 

Currently, the Small Business Administration is working with states to provide targeted, low-interest Economic Injury Disaster Loans to businesses and not-for-profits that have been impacted by the COVID-19 virus to help overcome the temporary loss of revenue. Small businesses can receive up to $2 million in disaster assistance loans in certain eligible areas.

The following is a summary of the loan eligibility and the process for a Small Business Administration Disaster Business Loan:

 

  • The business must be located in a Current Disaster Declaration Area to qualify. Click here for the latest update.
  • You must qualify as a small business. For the business to qualify, it must meet the requirements for maximum number of employees or maximum revenue. Click here for the requirements for your specific industries.
  • The SBA loan process is a three-step process. The first step in the process is to apply online, in-person, or by mail. The following forms will be needed:
    • For all applications, excluding not-for-profit organizations, the following items must be submitted:
      • This application (SBA Form 5), completed and signed.
      • Tax Information Authorization (IRS Form 4506T), completed and signed by each applicant, each principal owning 20 percent or more of the applicant business, each general partner or managing member; and, for any owner who has greater than 50 percent ownership in an affiliate business. Affiliates include, but are not limited to, business parents, subsidiaries, and/or other businesses with common ownership or management.
      • Complete copies, including all schedules, of the most recent federal income tax returns for the applicant business; an explanation if not available.
      • Personal Financial Statement (SBA Form 413) completed, signed, and dated by the applicant, each principal owning 20 percent or more of the applicant business, and each general partner or managing member.
      • Schedule of Liabilities listing all fixed debts (SBA Form 2202 may be used).
    • Additional information may be necessary to process your application. If requested, please provide within 7 days of the information request:
      • Complete copy, including all schedules, of the most recent federal income tax return for each principal owning 20 percent or more, each general partner or managing member, and each affiliate when any owner has more than 50 percent ownership in the affiliate business. Affiliates include, but are not limited to, business parents, subsidiaries, and/or other businesses with common ownership or management.
      • If the most recent federal income tax return has not been filed, a year-end profit-and-loss statement and balance sheet for that tax year.
      • A current year-to-date profit-and-loss statement.
      • Additional Filing Requirements (SBA Form 1368) providing monthly sales figures for will generally be required when requesting an increase in the amount of economic injury.
    • Step two of the process is the property verification, loan processing, and Decision by the SBA.
    • The final step is the loan close and funds disbursed.

 

RESOURCES:

Disaster Loan Assistance

Apply For A Disaster Loan (Complete your disaster loan application online.)

Disaster Loan Application Paper Forms

Coronavirus (COVID-19): Small Business Guidance & Loan Resources

Current Disaster Declarations (Locate disaster areas by state and territory. You must be in an SBA declared disaster area to be eligible for SBA disaster assistance.)

 

Disaster Loan Assistance – Login

Small business Size Standards Used To Define Small Business Concerns by industry NAICS codes

SBA Loan Three Step Process

 

Other

Coverage Impact From Coronavirus Relating To Business Income Within Your Commercial Insurance Policy

With the number of people infected by the Coronavirus growing every day, customers are voicing their concerns about how their insurance coverage will protect them from potential closers and lost revenue. 

 

We’ve had a number of clients ask what coverages will protect them from losses resulting from the COVID19 virus. Organizations that rely on physical locations for their business like manufacturing plants, schools, nursing homes, daycare facilities, and bus companies, aren’t sure what protection they have from business interruption. 

Unfortunately, it appears that the ISO Business Income and Extra Expense Coverage Form, CP ​00 30 10 12, coupled with the Causes of Loss – Special Form, CP 10 30 09 17, will not cover these losses for three reasons:

  • ​Coverage applies only if there is “direct physical loss of or damage to property.” The virus is wreaking havoc on people but not property.
  • The “Causes of Loss” form excludes coverage “for loss or damage caused by or resulting from any virus, bacterium or other microorganisms that induce or is capable of inducing physical distress, illness or disease.​”  The Coronavirus fits this description.
  • The form also excludes losses resulting from “delay, loss of use or loss of market.” There is no coverage for losses resulting If a homecare operation has to stop sending aids or clients start to cancel because the virus has caused people to stop traveling. (Big I Insurance)

Your organization has a number of decisions to make if unable to shift operations from a physical location to a remote opportunity. Some organizations can continue operations remotely, while others may be forced to close due to the Coronavirus. We recently published this article on how to keep your business operational during the outbreak. 

The Insurance Services Office (ISO) announced on Feb. 7, 2020, that they’ve published two advisory endorsements to the Business Income & Extra Expense Coverage Form for insurers to adopt and file if they wish According to the blog post on Verisk’s website: 

The first endorsement provides limited coverage in the event that a business suspends operations due to closure or quarantine ordered by a civil authority. This endorsement also provides coverage with respect to dependent property that is named in the policy and for vehicles and mobile equipment, where applicable.

 

The second endorsement also provides coverage when a business is forced to suspend operations due to the closure (or restricted use) of the public bus, rail, or ferry lines by civil authorities.​ (Verisk)

 

Workers’ Compensation is another coverage that can be affected by the COVID19 virus if a hypothetical worker can prove that they were exposed to the virus at their place of employment.

Lorraine Lee Explains The Business Impact Of The CoronaVirus
 

Commercial General Liability coverages can be applied in cases where an employer has allegedly neglected to remove an infected employee from the workplace, thus facilitating the further spread of the virus. Be aware, ISO offers an endorsement, CG 21 32 05 09, Communicable Disease Exclusion. This endorsement excludes coverage for bodily injury, property damage, and personal and advertising injury arising out of the actual or alleged transmission of a communicable disease. It also applies to alleged negligence in:

  • Supervising, hiring, employing, training or monitoring of others that may be infected with and spread a communicable disease;
  • Testing for a communicable disease;
  • Failure to prevent the spread of the disease; or
  • Failure to report the disease to authorities.

For more information on whether your organization is prepared for the potential losses coming from the Coronavirus outbreak contact a Risk Advisor or Call 914-357-8444. 

 

https://www.insurancejournal.com/news/national/2020/02/26/559383.htm

https://www.biginy.org/newsfeed/Lists/Posts/Post.aspx?ID=778

Cyber Liability Insurance, General Liability Insurance, HR Challenges, Risk Management, Vlogs

Our SIM-Hacking Prevention Guide

We recently wrote a piece about what SIM-Hacking or SIM-Swapping is. Click this link here to read it. We’re following up on that article with a quick guide to preventing SIM-hacking. We’re not here to re-explain what SIM-hacking is, we’re here to talk about how to protect yourself from risk.


If you agree with us that SIM-Swapping is a potential problem & you want to protect yourself from cybercriminals, then this guide can help you protect your accounts from cybercriminals.

 

1. Make a list of the important stuff that would pain you if you were hacked.

Here are a few accounts to start with.  Your list of accounts to protect may grow longer but these accounts would be the most problematic.

  • Work Email/ Work Google Account
  • Bank Account for Work or Personal
  • Organizational/Workplace Databases
  • Social Media Accounts (Facebook, Linkedin & Vimeo)

2. Understand how each account lets you recover/reset your password.

In this case, each one uses 2-step verification. The first factor is typically the primary email address you used to set up the account. The second factor is your mobile phone number (text messaging). I suggest testing each account above to have them bring you through the steps of a password reset. The ones that send a text message to your mobile phone are the ones that are most vulnerable to SIM-HACKING as that is the purpose.

These are the accounts we are going to lock down in the next few steps.

 


How To Protect Yourself From SIM-Hackers

At Metropolitan Risk, we purchased a YUBIKEY, which is a small piece of hardware that replaces the text message/cellphone as a second level authenticator. Google offers a similar product known as the Titan Security KeyWe opted to use a security key because you must have the key in your physical possession and you must confirm to the hardware that you are a human being. These security keys require human touch to confirm and cycle the key on. If you don’t like the idea of a separate piece of software, there are some apps on your cellphone called Authenticators that can do similar things.

We opted for a separate piece of hardware to the cellphone as a 2nd step in the 2-Step Verification. We do use an authenticator as a 3rd level authentication process in the event we lost the YUBIKEY hardware. 

 

1. If you’ve purchased a YUBIKEY, your next task is to log into the accounts you are concerned about & research the multi-step authentication process for password recovery.

    • This is the most time-consuming part of the process as each account can have different methods & steps to execute this piece.
      For Example,  you are telling Google not to send a text message to your cellular phone. Instead, you are telling Google to look for your YUBIKEY as the primary authentication.

NOTE: that if your organization manages your email account, that you speak with your admin. As our google account administrator, I’ve turned on 2-step verification to allow my staff to use yubikey. My staff would not have been able to set this up without admin approval. CLICK HERE for a quick guide for Google as an example on how to execute 2 step authentication as an example.

2. Once you follow the instructions for linking your account with the YubiKey you can select “trust this device”. This way you won’t need to use the YubiKey every time you log into an account because the software recognizes your device AND it has been properly authenticated.

What Happens if I lose my YubiKey?

 In all the accounts you set up with the Yubikey make sure there is a 3rd way to authenticate in case the YubiKey isn’t available for some reason. This gives you an additional way to access your account and prevents you from getting locked out of say your google account. In our case, we use Google Authenticator as the 3rd option in case the Yubikey is damaged or otherwise unavailable. 

Call me paranoid, or maybe just a Risk Advisor… same thing. I purchased a TILE which is essentially a very small chip that allows me to always locate whatever the chip is attached to. I have one for my wallet, one for my keys and one for my backpack. You download an app onto your cell phone. The cell phone app communicates with the tile which is attached to your keychain/YubiKey and voilà, keys found. It can also reverse and help you find your cellphone by making it ring if you press a button, even when the sound is on mute for the phone.

Help and More

At this point, I’m feeling better about my personal situation.

The 2-step verification ensures that the person accessing your account on a new device is you. Remember, once a hacker obtains your user name and password, they try to access your account from devices that are not recognized by the site or software. The software is trying to figure out if it is really you on a completely different account or a hacker. If the hacker has some way to authenticate their device to trick your software that it is you behind the device, they aren’t getting in.

Last point, just like in the physical world. If they really want to steal your car…gone. By locking down your digital life and making it a bit more difficult, the hackers usually move on to easier prey. Then, there is no shortage of easy prey out there. 

We hope you found this helpful. There are a ton of resources online to execute this tactic to lock down your accounts and your life. Our goal was simply to make you aware of the SIM-Hacking. At least get you to start the process of locking down your very vulnerable digital life. 

Still have questions? Still want more info? Contact a risk advisor today OR visit our website here.