Cyber liability insurance is a trailer to a strong cybersecurity program. The insurance portion helps your organization recover costs associated with the negative effects of a successful cyber attack. Cyber liability insurance cannot prevent you from experiencing loss. A strong cybersecurity program can help mitigate some of the potential losses by making your organization a difficult cyber target.
Cybercriminals are looking for targets with minimum cybersecurity on their systems. If your organization trains your employees to recognize potential foul cyber activity and focuses on an organization-wide goal of cybersafety, you are on the right path to a strong cybersecurity program.
Managing Devices
Device management can seem like such a small part of a strong cybersecurity program, but according to NetStandard 1 in every 3 employees do not lock their work computers when they go to lunch or leave for work (1). This leaves the computers open for every device that accesses your organization’s files. Documents can also be an access point for cybercriminals. An effective device management program encourages your employees to lock down their devices with passwords and to use better when working in public workspaces.
Password Authentication Protection
We’ve previously highlighted the importance of using multi-factor password authentication. Password authenticators vary between digital & physical authenticators, as well as options that are a combination of both. All accounts at your organization should be outfitted with a multifactor authentication process. This added layer of cybersecurity can save your organization
Email, Webpages & Social Media
Cybersecurity is more than protecting your passwords and devices. A strong cybersecurity program includes using smart practices while reading emails, entering data into unfamiliar websites, and safe social media practices. Phishing scamsare one of the most common ways cybercriminals gain access to company information. These criminals pose as a safe and familiar entity and request the victim to allow them access to the account they are trying to take over.
If you have any additional concerns regarding your cybersecurity program and cyber liability coverage contact a Risk Advisor at 914-357-8444
In a time where most organizations have transitioned to remote work, cybercriminals have doubled down on network attacks. The FBI recently released a statement saying that cybercrime attacks are up over 300% since 2019. Cyberattacks range fromransomware baked into spam emails tophishing emails posing as trustworthy entities, to gain access to account information. One way organizations can better protect their business from these attacks is to mandate policies that direct every employee to utilize multi-factor authentication on every business account.
Password authenticators vary between digital & physical authenticators, as well as options that are a combination of both. Below we have listed a few of the most commonly used authenticators:
Digital Authenticators
One of the benefits of digital verification is that users do not need an additional physical token or device for authentication.
Email authentication
Email verification is when a user needs to click a link or obtain a code sent to their email address to verify ownership of the account they are logging into. One of the biggest problems with email authentication is a majority of people will reuse the same password for all of their important accounts.
Using email as a second method of authentication looks like this:
A user logs in to a website with their username & password
A unique code or link is then sent to the users’ email address linked to the account
The user logs in to their email account, they find the code, and enter the code into the application or website or clicks the link into the email
If the code is valid, the user is authenticated and granted access to the account.
Cellphone authentication (SMS)
The most common authentication method is through SMS messaging on a cellular phone. This method is considered more secure than email authentication because email authentication includes the risk of the email account also being compromised. The downside of SMS authentication is SIM-hacking can render the cellphone number useless.
SMS Authentication will look like this for a standard user:
A user logs in to a website with their username & password
A unique code is sent to the cellular phone number linked to the users’ account
The user takes the 4-6 digit code off of their device and enters the code into the application or website
If the code is valid, the user is authenticated and granted access to the account.
Physical Authenticators
A physical authenticator is more secure than digital because there is a real device that is needed to authenticate an account. This means that the user has a tangible key or an application downloaded to a physical device that is in their presence. These physical objects make it harder for cybercriminals to hack accounts.
Application-based authentication
Applications likeGoogle Authenticatorand other verification apps use a token/code to determine ownership of the account. These applications are linked to the device, not the phone number. Application-based authenticators can be as simple as a push notification going to the phone or the application, delivering a 4-6 digit code for users to enter on the website or application of the account they are attempting to access.
A user logs in to a website with their user name & password
The website they are attempting to access will send the user credentials to the authorization server.
The authorization server will authenticate the user credentials and generate a token.
The access token is sent to the user via an application downloaded to the users’ device
The user inputs the time-sensitive access token into the website they are attempting to gain access to.
If the token is valid, the user will gain access to the website.
Physical authentication device
At Metropolitan Risk, we supply our staff with the hardware authentication deviceYubiKey. This ensures that our staff is using one of the safest methods of authentication. These keys are simple to deploy to everyone in your organization. These devices help promote digital security health within an organization.
This physical device plugs into the USB port of a computer and requires a human touch to unlock the device.
The process of using a physical authentication device looks like:
Launch the authenticators’ device
On the account that the user wants to log into, enter the username and password as normal
Find the authenticator code needed in the authenticator
Insert the physical authenticator key into the desktop to show the credentials needed to log into the account
Enter the code on the website
If the code is valid, the user is authenticated and granted access to the account.
Developing An Organization-Wide Plan To Implement Multi-Factor Authentication
Once you’ve decided on a method of multi-factor authentication, your next step is execution. The size of your organization will determine how you implement this plan. While working on a plan, consult your IT department, your HR department, and various managers throughout your organization. Having your entire management staff on board with a plan helps convey the agenda to lower-level employees.
Have a meeting with your supervisors, managers, and IT team about your organization’s cybersecurity efforts.
Discuss how you feel you’re currently doing as an organization with cybersecurity to determine weak spots in your plans.
If your organization is not currently using any method of multifactor authentication, determine which method would be best for your organization. At Metropolitan Risk we always suggest a physical key device.
Create a list of pros and cons for each authentication method and determine which is the best fit for your organization.
If you’ve decided to use a physical authentication device, determine which physical device is best for your organization.
Distribute the authentication devices and instructions to your employees
Make sure all employees are on the same page with how to manage this new software.
Include additional information on how to install the authentication devices and how to better manage passwords and other important digital assets
Provide additional training to any employees who are struggling with updating their accounts with the new cybersecurity measures.
Remember, cybersecurity only works if the entire organization is working towards the same goals.
Metropolitan Risk is here to help your organization overcome obstacles that can affect your organizations’ operations.Contact A Risk Advisorto book a meeting to discuss cybersecurity challenges that may be affecting your business’s insurance coverage or Call 914-357-8444.
Remote operation of your business means that protections your office building had, your employees’ homes may not. Cybercriminals are taking advantage of this situation by phishing out your employees’ data. Take the time to educate your employees on cyber safety. This safety training needs to expand beyond just email safety but also include cyber safety within the office.
How To Conduct An Organization-Wide Phishing Test:
Notify and train your employees on what phishing is:
If you don’t notify your employees how are they going to know what is going on? Let your employees know that you will be conducting an organization-wide phishing test. Teach your employees about the risks of phishing and how they can be better at recognizing the signs and stuff.
Employees need to know that phishing is more than a link asking for login credentials. Phishing scams can an email sent company-wide from an unknown sender containing an attachment that is actually malware. 94% of malware was delivered via email in 2018.
During this initial training session, define your organization’s cybersecurity expectations. Your employees can’t read your mind. Communication from management and the IT staff can help with educating your employees on cybersecurity best practices.
Engage all relevant departments and managers on why phishing is a threat to your organization
Work closely among staff members such as managers, HR, and IT to develop and engage an organization-wide cybersecurity plan. If customer service is leaving the door open at the end of the day, your engineering department might be at risk for a cyber attack.
Create an alias email account for your employees to report potential phishing scams.
An alias email allows for your organization to streamline your phishing reporting. The alias email address can be as simple as “Phishing@yourcompanysite.com”. This email address can redirect to the IT department or whoever is in charge of the network.
This email address will allow your employees to forward the scam email right to an internal IT log specific for Phishing instead of going to the IT team and getting lost among other technical issues like website problems or a lost password.
Plan to test your entire organization to see if there are any weak links in your cybersecurity. This means including senior management in your phishing test. To plan your phishing test, you can hire a 3rd party contractor to run the test and then measure things like link clicks, which employees leaked information, the number of employees who reported a phishing email.
Analyze important key metrics
After running a phishing test, work with IT staff members and team managers to analyze key metrics.
Key Metrics to keep track:
The number of employees who click the link in the testing email
Number of employees who download a file from the unknown email address
The number of employees who report a phishing email to your IT staff or their manager.
Take Action With Employees Who Failed The Test
Is there a portion of your staff who have continuously failed cybersecurity tests? Sit down with HR and IT to see what measures you can take to further educate and protect your business. Work with HR to develop a plan for employee failure on every level. A breach in security is not a joke, but a high-level employee releasing admin information is a more serious offense than a low-level employee who only has access to email.
Provide Your Entire Organization With Additional Information on Cybersecurity
All of your employees can benefit from additional information on cybersecurity. Educate your employees on best practices to keep both business information and private information safe from hackers. This can include resources on different types of anti-viral software, best practices for end of day
Test, test, and then test again to make that your organization understands what is at risk with their unsafe digital activity. Every 6-months to 1 year, a random phishing test should be sent out throughout your organization. This consistent retesting keeps employees on their toes and helps employers determine which employees may be at risk of falling prey to an outside phishing attempt.
Still want more info on how your organization can better protect itself from cybercriminals? Contact one of our risk advisors at 914-357-8444.
We recently left a meeting with one of the largest construction companies in the country, whose sales are north of a billion dollars annually. The first comment my counterpart made was, “I cannot believe how poor their systems are…” I turned to him and gave him one of my favorite lines because it still rings true to me on a daily basis, “I’m always amazed, never surprised.” Universally, whether you are a billion dollar construction company, a small manufacturer, a non-profit, or a healthcare company, these are the flaws we see in (over 98%) the companies we are invited into. Here are 7 insurance errors commonly made by any and all types of companies.
1. Wrong Goal:
Most companies set a goal of lowering their insurance spending every year. They see it as a tax. It’s an expensethat doesn’t generate value. We suggest this goal is incorrect. Your claims history and risk-based costs drive your insurance costs; not your broker or the insurance carriers. 80% of an organizations costs are outside the cost of the insurance. Furthermore, the cost of your insurance program tends to be a lagging indicator, reset only once a year. Measuring, preventing, and managing your claims and claims-related costs should be the goal, not lowering your insurance cost. If you can demonstrate to the insurance marketplace that your company is historically profitable (claims to premium ratio) then you will have carriers competing for your business, which will, in turn, lower your costs.
Wrong Goal
2. Insufficient Resources for the Goal:
The best companies at least have a safety budget. Many, sadly, don’t even have that. If you want your arms around your biggest cost drivers, you need to dedicate resources towards the solution. We suggest that you start by setting a Risk Budget, not just a safety budget. It’s helpful if you know how much money you’re leaking due to claims. Having this Risk/Reward context will help you sell your budget number to management. Moreover, if you have solid systems (see 4), you can leverage those systems to bring in other resources in a cost-efficient fashion. This allows you to stretch the budget.
Most companies don’t leverage their carrier relationships or their brokers for resources to help them with their cost drivers. Even when they do, it’s too inconsistent to have much impact. Staffing at most organizations is thin at best, whereby a single staff person is also delegated the risk responsibilities on top of all the other hats they wear.
3. Improper to Absolutely No Data:
When we ask prospective clients how they determine successor failure in their insurance program, they almost always tell us insurance premiums. Again, this is flawed. Premiums by themselves indicate nothing and often are also a false read. Instead, premiums should be converted to a rate per sales, payroll, or vehicle. Also, the insurance contracts themselves might exclude or include more risk which swings costs. Our main point is that companies do not have the proper data to reveal their true cost drivers, hot spots, or success spots in an organization. They can’t benchmark themselves over a year’s time. They can’t benchmark supervisory employees, departments, or locations, nor can they tell you what their ROI is on their safety investment. Or they can’t build compensation incentives around the companies cost savings goals.
Without the proper data it’s nearly impossible to change culture, results, or fix cost drivers that you haven’t even identified. Imagine being a doctor trying to diagnose a patient without running tests, looking at charts, and being able to benchmark vitals. Most companies lack this critical ability to gain insight, let alone the ability to select the correct treatment option.
4. Little Strategy:
Here’s a hint, shopping your insurance with 3 competing brokers is not a sound strategy. Yes, it may have worked for you a few times, but, it’s like shooting foul shots backwards. You may get lucky, but it’s not consistently sustainable. If you set the proper goal, you can then test the marketplace with your (1)broker who can (and will) get you competitive pricing. Set your strategy on controlling and lowering your main cost drivers, your insurance costs will follow.
5. Systems:
The best of these companies use spreadsheets to capture data, and then exchange insights via email. Most don’t even have the spreadsheets! If you have a solid system as a nucleus, you can then build both process and staff around this core system. Further you can leverage the system to hire outside specialties to address thorny issues. In absence of a strong core system, it’s very difficult to get a sustained, consistent effort bent towards solving your most vexing claims issues.
6. Lack of Process/Protocol:
There is so much low-hanging fruit that costs so little when it comes to managing claims cost drivers, most of which is just knowing the proper protocol when “x” occurs. Then, it’s all about communicating that protocol organization-wide, with a proper system in place to build in accountability, so it becomes natural.
Note: Having a task list is not a system. Closing the execution loop, holding people accountable, is a system. The loop is closed througha random audit process.
7. Price vs Cost:
This is a big one. Too often, we see companies focus on the price of the insurance against the long term costs. Nothing is more expensive than a cheap insurance contract. You finance your risk with operating cash flows, reserves or worse… loans. Contrary to popular belief the correct answer is not insurance. If you had the correct data, contained within a system, then you would understand the real cost drivers in your organization so you can then attack them strategically. That takes too much work, so folks just look at the premium, write the check and hope for the best.
Here’s the good news (sarcasm). There is a new class of competitor coming to your space that understands these seven points and are executing them with ambitious zeal. They understand that to truly lower their unit cost structure they need to look at their cost of risk rather than the price of their insurance. Having this ability is truly an overwhelming marketplace advantage as they will be cost efficient and cost consistent year in and year out. You will know them by their tale tell signs, high growth, more market share, lower costs and higher profits.
We recently wrote a piece about what SIM-Hacking or SIM-Swapping is. Click this link here to read it. We’re following up on that article with a quick guide to preventing SIM-hacking. We’re not here to re-explain what SIM-hacking is, we’re here to talk about how to protect yourself from risk.
If you agree with us that SIM-Swapping is a potential problem & you want to protect yourself from cybercriminals, then this guide can help you protect your accounts from cybercriminals.
1. Make a list of the important stuff that would pain you if you were hacked.
Here are a few accounts to start with. Your list of accounts to protect may grow longer but these accounts would be the most problematic.
Work Email/ Work Google Account
Bank Account for Work or Personal
Organizational/Workplace Databases
Social Media Accounts (Facebook, Linkedin & Vimeo)
2. Understand how each account lets you recover/reset your password.
In this case, each one uses 2-step verification. The first factor is typically the primary email address you used to set up the account. The second factor is your mobile phone number (text messaging). I suggest testing each account above to have them bring you through the steps of a password reset. The ones that send a text message to your mobile phone are the ones that are most vulnerable to SIM-HACKING as that is the purpose.
These are the accounts we are going to lock down in the next few steps.
How To Protect Yourself From SIM-Hackers
At Metropolitan Risk, we purchased a YUBIKEY, which is a small piece of hardware that replaces the text message/cellphone as a second level authenticator. Google offers a similar product known as the Titan Security Key. We opted to use a security key because you must have the key in your physical possession and you must confirm to the hardware that you are a human being. These security keys require human touch to confirm and cycle the key on. If you don’t like the idea of a separate piece of software, there are some apps on your cellphone called Authenticators that can do similar things.
We opted for a separate piece of hardware to the cellphone as a 2nd step in the 2-Step Verification. We do use an authenticator as a 3rd level authentication process in the event we lost the YUBIKEY hardware.
1. If you’ve purchased a YUBIKEY, your next task is to log into the accounts you are concerned about & research the multi-step authentication process for password recovery.
This is the most time-consuming part of the process as each account can have different methods & steps to execute this piece. For Example, you are telling Google not to send a text message to your cellular phone. Instead, you are telling Google to look for your YUBIKEY as the primary authentication.
NOTE: that if your organization manages your email account, that you speak with your admin. As our google account administrator, I’ve turned on 2-step verification to allow my staff to use yubikey. My staff would not have been able to set this up without admin approval. CLICK HERE for a quick guide for Google as an example on how to execute 2 step authentication as an example.
2. Once you follow the instructions for linking your account with the YubiKey you can select “trust this device”. This way you won’t need to use the YubiKey every time you log into an account because the software recognizes your device AND it has been properly authenticated.
What Happens if I lose my YubiKey?
In all the accounts you set up with the Yubikey make sure there is a 3rd way to authenticate in case the YubiKey isn’t available for some reason. This gives you an additional way to access your account and prevents you from getting locked out of say your google account. In our case, we use Google Authenticator as the 3rd option in case the Yubikey is damaged or otherwise unavailable.
Call me paranoid, or maybe just a Risk Advisor… same thing. I purchased a TILEwhich is essentially a very small chip that allows me to always locate whatever the chip is attached to. I have one for my wallet, one for my keys and one for my backpack. You download an app onto your cell phone. The cell phone app communicates with the tile which is attached to your keychain/YubiKey and voilà, keys found. It can also reverse and help you find your cellphone by making it ring if you press a button, even when the sound is on mute for the phone.
Help and More
At this point, I’m feeling better about my personal situation.
The 2-step verification ensures that the person accessing your account on a new device is you. Remember, once a hacker obtains your user name and password, they try to access your account from devices that are not recognized by the site or software. The software is trying to figure out if it is really you on a completely different account or a hacker. If the hacker has some way to authenticate their device to trick your software that it is you behind the device, they aren’t getting in.
Last point, just like in the physical world. If they really want to steal your car…gone. By locking down your digital life and making it a bit more difficult, the hackers usually move on to easier prey. Then, there is no shortage of easy prey out there.
We hope you found this helpful. There are a ton of resources online to execute this tactic to lock down your accounts and your life. Our goal was simply to make you aware of the SIM-Hacking. At least get you to start the process of locking down your very vulnerable digital life.
Still have questions? Still want more info? Contact a risk advisor today OR visit our website here.
You’ve just seen your Experience Modification Rating (EMR) and it is high again. Or your worst-case scenario, it has gone up again. Year over year, you’ve spent time shopping for your insurance due to your high EMR. It is time to stop shopping and start proactively working to lowering your EMR because eventually, it will catch up to you.
What Is Your Experience Mod?
Let’s start with a basic definition. What is your Experience Modification Rating or your EMR? A simple definition of EMR is Payroll divided by Claims. The video below explains what your experience mod is and what is expected of your organization. (If the video does not play in your browser click here.)
Remember, an average experience mod is a 1.0, this is like receiving a “C” on your report card. If you’re happy with this, stop reading now. Good luck, you’ll be competing against companies with a greater competitive advantage than you because they’ll have a much lower cost structure, higher profits, and a larger business development budget.
Some Construction companies bidding on government work are ineligible if their EMR is above 1.0.
How To Find Your Experience Mod Rate
The NCCI (National Council on Compensation Insurance), is a group that calculates Experience Modification Factors for companies across the entire United States. Some states have their own rating bureaus due to their size and complexity. For example, New York and New Jersey have the NYCIRB & NJCRIB respectively. For a detailed explanation of what your Experience Modification Factor is and how it’s calculated visit this site.
Why is Your Experience Mod High?
There are a number of reasons why your EMR is high. The biggest factor is the number of open claims. If your organization has a high number of claims or one large claim on your Workers’ Comp policy your EMR may stay high until that claim is closed.
How This Affects Your Organization
What this means is that most companies will see another increase in their Experience Modification Factor following their next recalculation. That takes place on their “Unit Stat Date,” and, if left unchecked, your business could face higher rates, possible penalties, and Labor Department Violations.
What You Can Do To Lower Your Experience Mod:
Track incidents (near misses) not just claims. Most claims can be avoided if you are meticulous about tracking all of the near misses that lead up to the eventual incident. Most claims could have been avoided in hindsight as the employee typically was taking shortcuts long before the ultimate injury occurred. Track these infractions and you will prevent at least one injury a year.
High Experience Mod
Investigate accidents immediately and thoroughly; take corrective action to eliminate the hazard. If you sense fraud, get aggressive; don’t be an easy target. We suggest Why Analysis follow all incidents. That’s a whole other article that can be accessed HERE.
Report all incidents to your insurance broker or Risk Advisor immediately. Studies show the longer it takes to report a claim, the more expensive it will be. A 4-week delay in reporting an injury drives the cost of that same injury by 48% according to a Hartford Insurance study of over 2 million claims.
Alert your workers’ compensation claims adjuster to any serious, potentially serious or suspect claims. Frequently monitor the status of the claim, and communicate with the adjuster to resolve them as quickly as possible. Too busy to do that, have our Claims Advocates communicate with the adjuster on your behalf. Our Claims Advocates were insurance adjusters so they speak that language holding the carrier’s adjusters accountable.
Every reported claim to your insurance carrier no matter the line of insurance should have an action plan attached to it to close out the claim. This is a big mistake most businesses make. They report it and then forget it until the policy comes up for renewal. At that point, they are shocked at the increase in the workers’ compensation insurance premium which is always driven by claims experience. Folks forget that workers’ compensation insurance is really a very expensive credit line to the business.
Take an aggressive approach to providing light-duty or transitional to all injured employees upon their release from treatment. Return To Work programs are extremely powerful tools for lowering the cost of a workers’ compensation claim as they give leverage back to the employer, stopping the tail from wagging the dog. Supervise light duty employees to ensure their conformance with restrictions.
In serious cases that involve lost time, communicate with the claims adjuster to demonstrate your interest in returning the injured employee back to gainful employment.
Set safety performance goals for those with supervisory responsibility. Success in achieving safety goals should be used as one measure during performance appraisals. At Metropolitan Risk this is just one of the K.R.I’s (Key Risk Indicators) we emphasize to establish internal standards and accountability.
Develop a written safety program, and train employees in their responsibilities for safety. OSHA rules dictate for every facility location or job site there must be a competent person. Incorporate a disciplinary policy into the program that holds employees accountable for breaking rules or rewards them for correctly following safety procedures. This should be tied into the employee handbook which each employee receives when they are on-boarded for your org.
Frequently communicate with employees, both formally and informally, regarding the importance of safety keeping safety top of mind at all times.
Make safety a priority – senior management must be visible in the safety effort and must support the initiative.
Evaluate accident history and near-misses at least monthly. Look for trends in experience, and take corrective action on the worst problems first.
Ensure your payroll and class codes are accurate. Over 65 % of workers’ compensation audits have errors. See COMP CHECK.
Ensure the correctness of your mod calculation. Far too often there are errors here as well. See COMP CHECK
You can build all this out organically by yourself OR speak to a Risk Advisor about our COMP CARE PLATFORM. We have this all built. It’s turn-key and ready to be deployed in your organization if you are serious about reducing your workers’ compensation costs. There are no short cuts…
How Metropolitan Risk Can Help
Still looking for more info? Still have question? We have a team of Risk Management specialists who are here to help! Contact a Risk Advisor today for more information on how you can work towards lower workers comp costs by closing claims instead of shopping for insurance. Click here to book a 5-minute call with a Risk Advisor
Do you want the secret in understanding how the insurance marketplace prices your construction liability insurance policy renewals? This is an instructional piece to be shared with your staff members in charge of assisting in the design and purchase of your insurance program.
Throughout my 30 year career, I have found it especially advantageous to have a clear understanding of what the other side is trying to accomplish, and how they execute. Too often CFO’s and owners of businesses lead with how they “feel” about their company and how the insurance marketplace SHOULD price their account. Often their feelings are far from reality. Here is a primer so you know how to properly position your account, set expectations and beat your competition.
The Parameters Underwriters Use To Build Your Underwriting Risk Profile :
Every good insurance broker should be framing your company’s Risk Profile so you and they control the narrative. The Risk Profile is essentially the main underwriting package or submission the brokerage community makes on your behalf. The goal is to transfer as much risk as possible to the insurance marketplace for the lowest possible premiums. This creates the most value for you the end-user buyer. Too often insurance buyers don’t transfer nearly enough risk, simply jumping at the lower premiums incorrectly assuming the coverage they are getting is equal. THERE IS NOTHING MORE EXPENSIVE THAN A CHEAP INSURANCE POLICY!! PERIOD!
How Do You Make Your Money ?
What the insurance underwriter is trying to understand is what is your “craft” , how do you make your money. In construction, your business model coupled with your means and methods is a very big deal.
If your company does masonry work they need far more detail than simply “masonry”. Are you only doing flatwork, or do you work at heights? If you work at heights; how high to you go up? Whose your end-user client? Condo’s Co-op’s, parking garages, commercial warehouse, municipalities?
How you answer these questions helps both the broker placing the risk AND the underwriter who is deciding what coverage’s to give, what exclusions to put on the policy and how much premium to charge.
We suggest that you have a well thought out descriptive write up about your company in advance which helps build your “Risk Profile”. In the absence of this, you are leaving much to chance as this is not optimal for any stakeholders.
Where Do You Make Your Money ?
Your geographic footprint is very important. Insurance rates and claims experience is VERY local. The local laws really drive claims up or down contingent on the geographic region. Each locale has it’s own challenges and opportunities. Further, many insurance carriers restrict coverage in “hard market” locations where the challenges are acute like all of New York State due to the Labor Law and or “worse” New York City. If your operation is countrywide or international we need to know that too as this affects coverage design and pricing. It’s important you disclose this. Often the carrier wants to know what % of sales come from each geographic region.
QUICK TIP:The higher the Risk Profile, the more risk the insurance carrier takes on which usually means they will charge more premiums in exchange for that risk.
What Are Your Results ?
This is where the rubber meets the road. Our customers at Metropolitan Risk understand the price companies pay for their insurance premiums are a function of how well they prevent and manage their claims. We did a short little video called “What’s the Most Important Metric When Evaluating Your Future Liability Insurance Costs.” If you haven’t seen it in we highly recommend it.
Spoiler alert, it’s about what your loss pic is by line of insurance. Your Loss pic essentially determines how profitable your account has been to the insurance marketplace over the prior 5 years. It’s simple if the carriers lost money on your account, expect a price increase. If they made money on your account you should be fairly flat contingent on the overall market. If the carriers are making a lot of money on your account, you should do really well at renewal. Every company should have its companies most current loss pic at their fingertips at all times. This is a GREAT leading indicator. Your actual insurance renewal is a lagging indicator.
How Many Times Have You Switched Carriers?
This is a simple concept. If your account is on the street every year and your bidding out the insurance annually the underwriters know this. In most markets, there are only a few insurance carriers that have an appetite for your risk profile. Like clockwork, the submission comes in, usually from different brokers. Most insurance carrier underwriter hate this. They see it for what it is. A short term situation whereby they are renting your account for a year or 2 and then you’re off to the next dance partner. After a few submissions like this, the underwriters cease to give your file the consideration it deserves. At Metropolitan Risk we believe this really hurts the company who does this. The brokers don’t care as it’s not their story or reputation.
QUICK TIP:You should not put your account on the street every year. Once every 3 to 4 years is best practice unless you have coverage concerns or problematic exclusions that are jamming you up.
Best Practice Additions :
Here is where most other brokerage’s stop. At Metropolitan Risk we believe these next few additions make a HUGE difference. We have the testimonials to prove it.
A) Company Org Chart :
If your properly staffed with safety personal, in-house legal counsel, HR Admins, Project Managers & Coordinators we encourage you to highlight this. If you’re staffed properly this is a strength of your organization. We believe there is a direct correlation to being properly staffed forward and you lagging claims results. Companies that are staffed thinly tend to have far higher losses.
B) What About Your Company Is Unique?
What are you doing as a company that’s different, unique, special, that sets you apart from your competition? Do you have a competitive advantage in your native market that makes you more competitive, increases your quality or your margins? Let’s talk about this. Those same qualities may help lower your risk profile too. We need to tell that story.
C) Got Claims? :
The carriers are going to see the losses on your claims history so there’s no hiding it. Instead lets’ talk about them. Why they happened and more importantly what changes you have made to make sure they don’t happen again. This is really important as we are asking the underwriter to discount the historical claims performance of the account. We need to give them something of substance here so they can go to management and argue for us as to why the past won’t be prologue.
D) Don’t Just Say; Show It!:
If you’re telling a good story above in B or C back it up. Show some physical evidence to the underwriter you are doing this. Too often both the brokers and the businesses they represent tell a good “story” but it’s a story of fiction at worse, a story of gross embellishment at best. Adding reports, minutes to meetings, something that adds credence that you are actually doing what you say your doing’ that is powerful!
E) Who’s Telling Your Story?
We probably should have lead with this. If you were smart enough to follow the entire submission blueprint above don’t forget the most important part. Have (1) broker submit your application to the marketplace. If your preference is to use two brokers that’s your preference however please be sure to control your story. Nothing is worse than when (1) underwriter gets 2 entirely different submissions from 2 different brokers. You only have (1) shot at a good first impression. We did a great short little video on this called HOLDING ON TO YOUR STORY.
A good underwriter is not going to take the time to figure out which submission is the “correct” one. Instead, both brokers and the company they represent lose all credibility and the underwriter moves on to the next file. The bottom line controls your story. The best way to do that has one broker represent you in the marketplace. IF you don’t trust they will get you the best price and coverage combination, then you have the wrong broker.
If you would like to see what a Best Practices Submission looks like speak with a Risk Advisor by calling (914) 357-8444 or CLICK HERE to Schedule a 5-minute call!
When deciding on acquiring a contractor for a job, it is almost never a smooth, easy process. A contractor or specialized worker is sometimes necessary last minute. For that reason, it’s helpful to develop a plan for screening contractors and determining which one is best.
There are a few key steps to take in order to achieve the best results when acquiring a contractor.
The first, most important step, is to develop an approval process that either accepts or denies potential contractors. Only allow exceptions in very limited situations while documenting all thought processes on why the contractor should be used. Be sure to do this when it comes to making exceptions for contractors that aren’t initially accepted. Finally, it is important to gather data on what went right and wrong to further refine the approval process.
When struggling to find a contractor to fill a certain position, it is important to evaluate all choices and to have a system that selects the best available contractor.
An owner wouldn’t want an employee not doing their best work, so it doesn’t make sense to hire a contractor that isn’t best suited for the situation. Using a proper system will ease the task of finding a contractor, increase performance on the job, and boost the reputation of a company. Being diligent in the approval process is key.
Better contractor fits save a company time and money, whereas poor fits hurt the profit of a company. Poor fits can also potentially damage a company’s reputation. Successfully operating an approval plan also is a self-fulfilling prophecy. As more and more contractors are sorted, data is collected which further refines the plan, making it more effective. It’s a challenging process to come up with a solid approval plan but will be worthwhile in the long run.
For more information contact one of our Risk Advisors or call 914-357-8444
Proper storm preparedness can help your organization continue to operate if an incident occurs within your offices that require your employees to transition to remote work. A weather incident like Super Storm Sandy in 2011 taught us these tips on weather preparedness.
Transfer incoming business calls to an answering service ( located off the east coast preferably), or your cell phone voice mail. No power no calls. You could be down days! Not too late to set up a Google Voice Account that provides a text translation of every call.
Alert your team to back up their workspaces onto an offline platform like a USB-drive or removable hard drive. Email the team to ensure they’ve backed up any information they may need while the servers are offline. If you didn’t do that, call all hands on deck to save these files. Burn it to a CD.
Back up all Server Data to a portable device or even better to a service like Google Drive. Duplicate and move the data so you can plug and play when the power is back, or from a remote location.
Make sure employees can access their email remotely. Remind everyone to charge their cell phones Saturday. Shut them down until Monday to conserve battery as power may be out days. Have them buy car chargers so they can charge the cells from the car battery.
Unplug all computers, servers, and electronics to prevent circuit damage from power surges. There are a million ways the circuitry can get fried, unplug it to reduce the risk of losing your electronics to fried circuitry.
Remove electronics from the floor. Many organizations set desktop workstations on the floor to maximize desk space. If your employees are not working in the office, remove these electronics from the floor to prevent water damage if flooding occurs. Leaks, blown windows, and floods coming from all directions can be a problem. I don’t care where your office is, water is fluid and indiscriminate. Get it all off the floor, and put something over the top so leaks from above can’t hit it.
Have a list of employee contact information. Designated an employee or two (always good to have a back-up in case the first employee lacks cell phone service) as the designated contact. Cell service may be spotty, texting has a better shot of getting through. Create this list and distribute it to every employee. You might be working remotely for a long time.
Establish a chain of communication with employees. Keep them posted. Efficient communication is critical. Set up social media accounts, or email chains to ensure quick and easy communications.
Alert your clients of an alternative way to contact your staff, if conventional means of communications are down. Create a banner or landing page on your website to alert clients of how to reach you in the event that your office is closed. Create a landing page on your website that gives clients or customers an indication of how to reach you and what is happening with your business. Emergency contact numbers e.t.c. Communication is key!
Seal wind-exposed window seams with duct tape, remove sensitive items away from windows and off the floors. Take sensitive documents off the floor, and out from the bottom drawers, put them someplace safe.
For more information on storm preparedness for your business operations, contact a risk advisor at 914-357-8444.
