Category Archives: Line of Insurance

Construction Practice Group Content, Food & Beverage Practice Group Content, Human Services Practice Group Content, Marketplace News, Risk Financing, Risk Management, Transportation Practice Group Content, Workers Compensation Insurance, Workers Compensation Premium Audits

How Workers’ Compensation Class Code #8873 “Telecommuter Reassigned Employees” Can Help You Save Money On Your Insurance Premium

The New York Workers’ Compensation Insurance Rating Board (NYCIRB) has released a new class code for ‘Telecommuter Reassigned Employees’.

If you are a business owner you might be wondering how do I adjust my workers’ compensation rates for employees that we kept on the payroll, but did not actually perform their duties? It doesn’t make sense to pay workers comp premiums for an expensive labor class during a workers comp audit when those employees were essentially paid to sit home. 

 

Over the past eight months, we have experienced difficult and trying times due to the pandemic. One critical aspect of the first few months of the pandemic was the ability of employers to keep their employees on the payroll whether or not they were actually performing their duties. The PPP program went a long way in helping employers achieve that important concession. 

 

The question that has come up recently with many employers is how do we properly account for that portion of payroll we paid our workers when they actually didn’t perform their actual duties. In industries like construction or healthcare, the insurance costs basis can generate a lot of insurance premiums because the class codes for those labor components have a high insurance rate tied to it. 

Now there is a relief for workers compensation premiums for these “reclassified” employees.

The New York Workers’ Compensation Insurance Rating Board (NYCIRB) has released a new class code for ‘Telecommuter Reassigned Employees’.

Temporarily Reassigned Employees, which establishes new classification code 8873, Telecommuter Reassigned Employees, requires that it be applied to the payroll of employees who, during New York’s stay-at-home order related to the COVID-19 pandemic (and future stay-at-home orders), are reassigned to either (a) not perform any work duties (idle), or (b) perform clerical work duties at home that they otherwise would not perform. The rate per $100 of payroll for Classification 8873 will mirror the rate for Classification 8810 (clerical office employees).

Further, this provision is applicable at the start of New York’s stay-at-home order and for up to 30 days after its conclusion. Employees who are classified to code 8871, Telecommuter Clerical Employees, are to remain classified as 8871.

In other words, the new 8873 classification only applies to employees who are reassigned and meet one of the two conditions described above. These amendments are effective for all new and renewal policies effective May 1, 2020, as well as to all in-force policies as of March 16, 2020.

We have provided the NYSIF Q&A sheet of commonly asked questions about this new workers’ compensation class code.

We would be happy to review the parameters of the new class codes and the impact it may have on your business. Please contact one of our Risk Advisory to discuss further.

Cyber Liability Insurance, Loss Control, Risk Financing, Risk Management

Buying Cyber Insurance Does Not Protect Your Organization From Hackers

Understand that purchasing Cyber Insurance does not protect your organization from hacking. It simply finances some, not all components of the loss. A recent report by cybersecurity company Barracuda reported that Google-branded Spear Phishing attacks are up significantly since the start of 2020. These attacks only accounted for 4% of the total cyber attacks in 2020 so far. Barracuda reported over 100,000 form based attacks since Jan 1. 2020, 65% of them were branded to look like a Google form. These Google-branded attacks are significantly more prevalent than other branded competitor attacks.  Microsoft was the 2nd most impersonated account at 13% of the total spear-phishing attacks (2)

With 43% of all cyberattacks targeting small businesses (1), and the attacks increasing by 73% since the pandemic we encourage your company to build out “Operation Lockdown”. That’s what we called it at Metropolitan Risk after we read a Wall Street Journal article on how cybercriminals are increasingly attacking small businesses and holding their work files for ransom. Cybercriminals understand that many small and medium-sized businesses haven’t the focus, the budgets, and the staffing to defend against these cyber attacks. They are in effect low hanging fruit and easy prey. 

Further many businesses now are even more vulnerable due to the recent mobilization of the workforce from the physical office. This is because home networks aren’t secure, the data doesn’t sit behind a firewall or is not encrypted like in the office.  While newly remote employees were struggling to create routines, employers focusing on this new shift in workflows, cybercriminals know the back door is unlocked.

 

Here are two really important concepts to understand assuming we have your rapt attention with respect to the soft underbelly of your org. Understand that locking down your company from a cyberattack doesn’t guarantee that you won’t be hacked and won’t suffer damage. What it does do is significantly lower the probability that such an attack will be successful or cause much damage. A friend of mine Nick Lagalante from Tenable Cyber Security explains it this way. “Your goal is not to outrun the bear, your goal should be to outrun the slowest runners”. In essence, by making it more difficult to penetrate your systems and employees, cybercriminals should in effect move on quickly and find a softer target. 

Here’s the second big picture item to understand; Cyber Insurance is NOT cyber risk management. Cyber insurance functions as a way to finance the loss you incurred from the hack. It’s a safety net when plan A (Operation Lockdown) fails. It should NEVER BE PLAN A. Here’s more good news. Once you have been hacked the chances of you being hacked again goes up exponentially. Insurance carriers know this which is why the Cyber Insurance policies increase significantly in cost once you have been hacked as the carriers’ exposure to loss increases if they decide to insure you! 

 

This is why we built this case study on how at Metropolitan Risk took this challenge on for ourselves. It’s not the holy grail of cybersecurity prevention, and we don’t want to lead you to believe it is. What our case study does is make you a bit faster than most of your competitors who will suffer a hack and the corresponding costs that go with it. At Metropolitan Risk our goal is to keep you cost-efficient and cost consistent. When you read our Case Study it gives you an idea of how to organize the challenge, and address each item incrementally. The case study is only available to current Metropolitan Risk clients or potential prospects. 

 

Last point, this is a big one. You don’t have to figure all this out on your own. As a reminder, we actually built a Cyber Assessment built for small to medium-sized businesses that assess your current systems, protocols, and security measures. Upon completion, you get a report that gives you a green light for things you have done well, yellow for items that need to be tweaked, and red for let’s jump on this ASAP.

 

Then we suggest we get you a really solid cyber insurance policy as a Plan B just in case. Our Cyber polices are 25% less expensive IF you execute our assessment and tackle the items in red. 

 

How do you eat an Elephant? Piece by piece. CLICK HERE to sign up for our Cyber Assessment. 

 

Commercial Property, Other

Having The CORRECT Business Interruption Insurance Determines If Your Business Survives

Business Income Insurance or Business Interruption Coverage is not only the most often overlooked insurance coverage, but the error rate in how it’s calculated is over 90%, and I am being generous here. Skeptical, pull your policy. My guess is your current agent or broker just applied your gross sales to arrive at the Business Interruption limit, or worse if it’s actual incurred loss it’s only for 12 months. I love actual incurred loss, what it should state is “Actual Incurred Loss As Calculated By The Insurance Company”. Yes, there is a HUGE difference.

 

Imbedded in most insurance policies are provisions for “business interruption insurance” or “business income” . It’s these provisions that provide coverage for loss of critical business income that provide the financial sustenance for a business to survive. Simply because your business suffers a loss, your bills don’t stop. I know my landlord at Bridge Street in Irvington NY wants his check on the 1st of each month, regardless of any business or personal tragedy. He knows his bills keep coming as well, it’s a vicious cycle. Thus quite often you have insurance to help bridge the financial gap between the revenue that your business would have enjoyed except for a covered event. How the loss is calculated and ultimately reimbursed is an article all by itself, and it differs depending on what type of business you are in, (i.e. manufacturer, restaurant, retail wine merchant, hotel).

 

If NY Business Interruption Insurance is deemed critical to the survival of your business we suggest performing a Business Income Stress Test. Quite simply what we do is offer up two or three likely claim scenarios that would potentially keep most C.F.O.’s up at night. We overlay your companies current financial’s, ( P&L , Balance Sheet), and apply the insurance carriers formula for calculating the business interruption portion of the loss which is contained in your insurance policy. In each claim scenario, we show you what your potential shortfall is BEFORE the loss occurs which is a critical point. To perform this calculation after the event is called a CLAIM, which at that point is simply P&L triage to get you through the month.

 

It’s absolutely essential that this stress test be performed on every business. In our business we can pick up and move to a temp facility provided there is power, and be operational in a matter of hours. A NY Wine Merchant, or Westchester NY Restaurant cannot. Understanding your cost structure, what is and is not reimbursable, and planning for it upfront quite often is the difference between life and death for many small businesses because they don’t have the financial cushion or the credit lines to make up the difference. The insurance proceeds from business interruption, or business income claim is the only financial lifeline.

 

If you are interested in seeing how your business would fare in our proprietary Business Income Stress Test, please speak with one of our Risk Advisors or call 914-357-8444.

Cyber Liability Insurance, Marketplace News

Cyber Security Awareness Month

October is Cyber Security Awareness Month! 

 


Cybersecurity is one of the fastest-growing concerns for businesses as many opportunities for growth within an organization have developed into fully remote positions.  To Celebrate Cybersecurity awareness month We suggest having these conversations with your team:

 

Cybersecurity management starts with training your organization to recognize potential cyber threats.  This year’s theme for Cybersecurity awareness month is Do Your Part. #BeCyberSmart 

Follow our social media accounts for our updates throughout the month. If you need more information on cybersecurity or cyber liability insurance, contact a risk advisor at 914-357-8444. Remember, do your part. #BeCyberSmart.

 

Claims Management, Cyber Liability Insurance, Line of Insurance, Loss Control, Risk Management

Social Engineering: Meaning and Impact

Definition

Social Engineering is the means of deception to extract sensitive, personal information that can then be used for further purposes, such as bank fraud, account takeovers, or identity theft. Cyber hackers primarily use social engineering when attempting to steal information of online users unaware of a hack currently happening. The main type will include phishing which fraudulently fishing for people’s information online through malicious contact.

Importance of Social Engineering

So why is cyber engineering important? Well, it can impact any of us at any time. Think about this. Currently, hackers have software applications designed to override firewalls and cybersecurity worth millions of dollars. However, hackers know technology is strict; a firewall will not listen give up information easily, but humans will. However, in a world of technology and hacking, hackers use human emotion and volatility as its main weapon. Hackers can sue the main target or those who directly know them to get any sliver of personal information that can help them in their quest. This is why every cyber user (which is most to all of us) needs to be aware of social engineering and its extreme dangers.

/p>

Impact of Social Engineering

Every day, cyber-attacks occur on users without them ever having the proper protection against the attack. Then, they lose precious financial or personal information to hackers. Social engineering will continue to happen and impact us as long as certain things remain constant. If users are still inputting too much personal info into websites that can be hacked at any time. If people remain unaware of releasing personal info of themselves or others to a hacker. Or if their cyber liability coverage does not protect themselves or their company against social engineering.

An Example

The scariest part of social engineering is sometimes the hackers never need to come in contact with the targeted account’s user. Once you give your personal information to a website like Facebook or Twitter, the social media company and all its employees with high-level access can access your data and sell it for profit.

In late July 2020, there was an aggressive twitter hack, According to a WSJ article, a user named “Kirk” on a hacking forum claimed he was a twitter employee who had gained access to many twitter accounts and was selling them from $500-$10,000 an account, including Joe Biden, Elon Musk, and others.

The problem with these social media companies is due to the employees’ level of cyber knowledge they will give everyday employees who make normal amounts of money way too much access to the internal networks of its website. These employees can take this information used for large-scheme hacks like that seen a week ago. Or, they can give bits and information to hackers of different user’s accounts, without the user ever knowing.

Social Engineering is a component of cyber liability coverage that is often overlooked by businesses in any ndustry. However, it should be a crucial component of any written policy regarding cyber liability protection, individually or company-wide. For more information, click here.

Workers Compensation Insurance

New Jersey’s New COVID-19 Workers’ Compensation Legislation Favors Employees

On Sept 14, 2020, New Jersey Governor Phil Murphy signed into law Senate Bill 2380 (S2380), expanding access to workers’ compensation benefits for workers infected with COVID-19. This bill retroactively covers Covid-19 positive “essential” workers up to March 9, 2020.

This new law diminishes the usual requirement of a worker to prove that his injury or illness was caused on the job. This new law presumes that essential workers’ illnesses arising during the pandemic are related to their work.

Employers can only rebuttal these presumptions if the employer can demonstrate that the essential worker was not exposed to COVID-19 at their place of work.

The law redefines “essential employee” as an employee in the public or private sector who, during a state of emergency: (1) is a public safety worker or first responder; (2) is involved in providing medical and other healthcare services; (3) performs functions which involve physical proximity to members of the public and are essential to the public’s health and safety (e.g. grocery clerk); and (4) any other employee deemed an essential employee by a public authority. It should be noted, however, this presumption will only apply if the employee contracts COVID-19 during the State of Emergency.

Note: Gov. Murphy declared a State of Emergency in New Jersey on March 9, 2020, and has extended that order indefinitely.

New York State currently does not have a similar law but is considering rebuttal presumption legislation also.

Claims paid in relation to this bill would be excluded from consideration when calculating an employer’s Experience Modification Factor, negating any direct impact on the employer’s workers’ compensation premium.

When you see a state’s legislate insurance coverage like this it has a downstream adverse effect in that local market. At the very least, you may see insurance rates increase due to the additional exposure they are asked to carry. The work comp rates currently in effect did not contemplate coverage for a pandemic. Further, they cannot recoup their losses through the EMR as they do with all other claims which means they need to take rate increases. Exactly the wrong time to saddle NJ business owners with higher costs.

Fortunately, as a business owner who is paying attention, there are steps you can take to mitigate this. For More Information on how this new legislation may affect your New Jersey business, contact a Risk Advisor at 924-357-8444.

 

Source: https://www.natlawreview.com/article/nj-law-expands-access-to-workers-comp-benefits-essential-employees-infected-covid-19

Claims Management, Cyber Liability Insurance, Line of Insurance, Loss Control, Risk Management

Why Passphrases are the Future of Logins

Every so often, whether it be for a company software program like MOZ, a school database like blackboard, or even a personal social media account on twitter, you get one of the two ominous messages.

The Unwanted Messages

You get the “time to reset your password” right after you slowly got used to your new password. Now you have to create a new password that’s memorable but is also hard to crack. Yes, it is a measure of security and caution from the website that is admirable. It is a pain at best for the user.

Then there’s the other message: “oops, you forgot your password too many times. Let’s reset it!” This one is arguably worse because of two things. One, you have to create a whole new password just like the mandatory reset times. But, you have to make it easier to remember than your last one, since you just forgot it. That makes hacking for these passwords so easy.

Where we are with Passwords

While there are some awesome dual-factor authentication apps and tricks as well as new biometric security measures, hacking password details could not be easier right now. Soon, we’ll be strictly using biometric passwords like eye scanning and finger pad touch. Or just using dual-factor using an app like duomobile. But for now, passwords are becoming ever so easy to hack for cyber criminals. They have more advanced technology that can run dictionary hacks and algorithm checks at 1,000,000,000 searches a second. And the only thing standing between your account with credit card info and their supercomputer is the password “qwerty12345.” All jokes aside, that password is extremely common, and there’s simpler derivatives of that password that make the 25 most common passwords of 2020.

Passphrases

While waiting for that futuristic physical password technology, allow me to introduce you to a better password type: pass-phrases. Pass-phrases are exactly what it sounds like. It’s not a word with numbers and symbols, it is a whole phrase that may include further numbers and symbols. While some say it is only a small step of improvement over passwords, let me tell you why they are much more protected.

Benefits of Passphrases

First, the guideline check is simple. They’re just as protected against password guidelines on the vast majority of sites. They are also supported by many sites as well, meaning you will be able to use these wherever you can use your normal pass-word.

They’re more secure. It’s that simple. The more characters and difference in the change of characters, the better. As in, if your password is football10!, that is a password a hacker can crack manually, it’s so straightforward. Now imagine it being “Mile High Miracle 512!” That’s 21 characters compared to 11, which makes the computers check for 10 factorial more possibilities. Simply, that means “football10!” Is a mid-sized fish in a river, “Mile High Miracle 512!” Is a krill in the Pacific.

Example of good Passphrases

Also, football is too simple, and there’s no change after football. Being as specific as possible is best. Take Mile High Miracle 512! Mile High Miracle is a nickname for a specific famous game that my favorite team, the Baltimore Ravens won (it’s a reference to them beating the Denver Broncos in Denver). Next, the 512 part. The game is mostly famous because of one play. The Baltimore quarterback, number 5, threw a last-gasp touchdown to Baltimore wide receiver number 12, to tie the game. 512 is incredibly more random than 10, yet feels more memorable. See how easy that was?

Concluding Thoughts

My point is that passphrases are easier to remember than those one word and 2 number passwords. Especially if they’re close to your heart and mean something. That could mean a song lyric/title/album, or a movie phrase, or a famous sports moment. So if you are a big music fan, next time you are resetting your Chase account, take a minute before you rush to put “RockFan12345.” Think about passphrases, and try something more along the lines of “St41rway 2 Heav3n” instead. Trust me, the time it’ll take to remember which e becomes a 3 is the difference between a bank account compromise and having your financial records safe.

Still confused? Want to learn more about passphrase protection? Or just about cyber security in general? Contact a risk advisor today at 914-357-8444 or visit our website here.

Cyber Liability Insurance, HR Challenges, Risk Management

Cybercriminals Are Targeting HR Depts. With This Resume Scheme

Trojan malware attacks are resurfacing since businesses are starting to return to work embracing a new normal in a post-COVID-19 world. Organizations have started to resume their hiring practices by posting job opportunities on their website, across job boards, and on LinkedIn to reach as many potential candidates as possible.

Some of these businesses are streamlining their hiring process by requesting that resumes are directly emailed to their HR department. Streamlining this process is creating new exposures in cybersecurity due to a cybercriminal’s ability to socially engineer the situation. 

 

 

Cybercriminals are sending emails with attachments posing as resumes to HR departments. The premise of these attacks is a modern-day Trojan Horse.  A threat posing as a harmless gift. Trojan malware is not a new cyberattack, but it is one of the most unsuspecting. 

If your HR Department fields dozens of resumes a day, there is a significant chance that one of the resumes they open could contain malware. If the file does contain malware, your organization could be allowing keylogging software or ransomware onto your server to attack unencrypted files. 

Without the HR department’s knowledge, a cybercriminal can attach a malicious file to an email that mirrors any other job seekers’ resume. The cyberattack can download ransomware or keylogging software onto the HR department’s computer or infect the entire network. 

 

Ways to Avoid A Potential Trojan Malware In Your inbox.

 

  1. Avoid Resumes sent as Word documents. Have job candidates submit their resumes as plain text within an email or as a PDF. Word Documents are the 2nd most likely file type to contain malware. ZIP and program files are the most likely. 
  2. Do not click social media links embedded into the email. If an applicant shares a link to their social media accounts, don’t click the link. Type out the full URL to ensure the social media account exists. Or search the social media website for the user name your applicant has given you.
  3. Use a recruiter. Working with a trusted recruiter is one way to reduce the number of random emails with attachments that end up in your HR department’s inbox. A trusted recruiter will share only the resumes that are the best fit for your organization.
  4. Have resumes submitted as plain text files instead of as an attachment. If you’re using a web form, have applicants upload their resume as plain text right into a response box instead of having applicants attach a document to an email or upload a document.
  5. Have applicants fax or mail their resumes. Paper wins against malware every time. Submitting a resume through Fax or the regular mail, this ensures there is no way that the submitted resume can contain malware.

These are a few ways to negate the risk of Trojan malware attacking your organization. For more information on how to protect your organization from cyber risks Contact a Risk Advisor at 914-357-8444.

Source Article: Hackers  Targeting Employers- Forbes

 

 

Cyber Liability Insurance, HR Challenges

The SHIELD Act : How It Affects Your Business In New York

Due to the increasing concern about the security of personal information, many states feel the need to implement data and cybersecurity laws to protect private information utilized by these malicious hackers. On July 26th, the governor of New York signed the SHIELD Act to protect the state’s resident’s data and broaden New York’s security breach notification requirements. The SHIELD ACT or Stop Hacks and Improve Electronic Data Security Act requires in the state of New York that any person, business owner’s computerized data which includes the private information of a resident of New York (“Covered Business”) to not only implement but maintain reasonable safeguards to protect the confidentiality, security, and integrity of the private information but to have proper breach notification requirements.

Every NY business owner must comply with the SHIELD Act because “private information” includes a lot of sensitive data. It is imperative to understand what the definition of private information means as it includes, but is not limited to a username or email address in combination with a password, a name, phone number, driver’s license number, CC number, etc. This does NOT include publicly available information that is lawfully available. This act also expands the definition of Breach, as Breach now includes unauthorized access, rather than solely unauthorized acquisition.

To be compliant with the SHIELD Act’s data security requirements, a business must implement a data/cybersecurity program that has reasonable administration safeguards, reasonable technical safeguards, and reasonable physical safeguards. These reasonable safeguards must be appropriate and align with the size/complexity of a business. This act highlights the importance of HR professionals and in-house employment involvement in their organization’s information security. This act adds an important aspect that requires there to be breach notification requirements. 

For example, if an HR Professional accidentally emails private information to the wrong employee containing “private information” the employer must document this as inadvertent disclosure which won’t result in misuse and maintain this documentation for 5 years. If the information contained more than 500 New York residents the employer would have to submit documentation to the attorney general within 10 days. If you fail to comply and notify the attorney general, there are $20 fines per notification with a maximum penalty of $250,000 (Effective Oct. 23,2019.)

This is extremely important for employers to understand in order to comply with the law. The responsibility employers, HR professionals, and employees have regarding properly handling data can impact a business tremendously. The fines associated with mishandling data can lead to millions of $$$ in losses. Make sure you understand the laws, make sure you protect your data, and make sure if your company experiences a data breach you have proper risk management strategies in place to pay for the losses.

Download our SHIELD Act Guide Here

For More Information on the Shield Act and how your organization can be compliant, contact a Risk Advisor or call 914-357-8444