Cyber Liability Insurance, Risk Management, Risk Transfer

New York Department of Financial Services Warns Businesses Who Use “Instant Quote” Software of Targeted Cyber Attacks

The New York Department of Financial Services (DFS) has issued a cybersecurity fraud alert to all of its regulated entities, describing a “systemic and aggressive” campaign to steal consumers’ private data.

The DFS has reported from several regulated entities of successful or attempted data theft from websites that provide instant quotes to the end-user.  All entities using instant quote software on their public-facing websites are vulnerable to this type of data theft attack. These attackers appear to be using the stolen data to apply for pandemic and unemployment benefits.

According to this alert, all regulated entities with instant quote websites should immediately review their websites for evidence of hacking. Reports have shown that even when consumer data is redacted, cybercriminals have proven they can easily recover the full unredacted information.

Reports have confirmed several methods that criminals successfully (or attempted) to use to steal consumer data from auto quote websites:

  • Taking unredacted information from the Auto Quote Websites’ HTML (Hypertext Markup Language) that was not displayed on the rendered page, but was visible in the code.
  • Using developer debug tools to intercept & decode unredacted consumer information.
  • Manipulating the technology to access parts of a public-facing website to view where the unredacted data is stored.
  • Purchasing a policy, after requesting a quote, using fraudulent payment methods in order to view the policy owner’s information, including his or her driver’s license number.
  • Requesting a quote and receiving an agent’s contact information to use social engineering to elicit information from the agent.

The DFS has requested prompt reporting of any attempts to steal consumer information from public-facing websites. Reports of unsuccessful attacks have previously been used to identify the techniques used by attackers. This helps the DFS respond quickly to new threats and continue to help protect consumers and the financial services industry.

Any DFS-regulated entity with a website that uses this type of technology should immediately review the following indicators:

  • Data analytics and website traffic metrics for spikes of quote requests. An unusual spike in abandoned quotes occurring in a short time frame was one of the key indicators of this type of attack. On a broader scope, regulated entities should look for an increase in consumer submissions that terminate as soon as consumer data is revealed.
  • Server logs for evidence of unauthorized access to private information. After your IT team has reviewed your web traffic, have them review your server logs for that period. When examining the logs of customer sessions, security teams should check to see if there has been any site manipulation using web developer tools.

These are just two suggestions by the DFS. There are a number of other ways cybercriminals can access information. Regulated entities should also follow their usual procedures for detecting and responding to cyber incidents.

The DFS has suggested the following steps for entities that are using Instant Quote websites to collect information:

  • Conduct a thorough review of website security controls, including but not limited to a review of its Secure Sockets Layer (SSL), Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS), and Hypertext Markup Language (HTML) configurations.
  • Review public-facing websites for browser web developer tool functionalities. Verify and limit the access so that users cannot adjust, deface or manipulate the website content using web developer tools.
  • Review and confirm that its redaction software for consumer information is properly implemented throughout the entire transmission of the data.
  • Ensure that privacy protections are up to date and effectively protect the data by reviewing which applications use the data, who has the authorization to view the data, and most importantly where is the data stored
  • Search and scrub public code repositories for proprietary code.
  • Block any IP addresses of suspected unauthorized users and consider a Quote limit per user session or IP address.

Any questions regarding the alert from the NY Department of Financial Service should contact their department directly, at CyberAlert@dfs.ny.gov

 

If you have any questions regarding your own cybersecurity. Contact one of our Risk Advisors at 914-357-8444 or visit our Contact Us page to schedule a 10-minute meeting.

 

Claims Management, Commercial Auto, Construction Practice Group Content, Food & Beverage Practice Group Content, General Liability Insurance, Human Services Practice Group Content, Interview, Other, Risk Management, Transportation Practice Group Content, Workers Compensation Insurance, Workers Compensation Premium Audits

A Fireside Chat with A Claims Adjuster

Our Claims Advocacy Team got to sit down with a workers’ compensation claims professional who specializes in high exposure claims. They discussed a high exposure claim that wasn’t reported timely to the carrier after the incident occurred.  

 

Please Note: This article has been edited for clarification and to protect the identities of those involved in the interview.

 

We’ve decided to call this interview a “Fireside Chat with a Claims Professional”, please tell me, are you actually in front of a lit fire or a fireplace or at least a match? 

Yeah, I have a nice scented candle lit, some nice ambiance for the room. 

What is your current role in the claims process? 

I oversee about 500 files, not directly managing the day to day activities and tasks to move a claim forward, but looking at it from a strategic standpoint, whether it be return-to-work, a settlement, or the resolution of some litigated matters.  I also assist clients in resolving their existing claims files.

Can you describe what a heavy litigated file/high exposure claim is?

Yeah, high exposure is really like your catastrophic claims. For example, someone who might be a paraplegic, quadriplegic, someone that suffers from a traumatic brain injury, or spinal cord injury. Those are leaning towards your high exposure. 

Heavy litigated are files that are going to essentially set a precedent in future case law and how it can impact lawyers and insurers in the future. 

Is the insured involved in the process at all? Or by the time that the issue reaches your hands is it completely out of the insured hands? 

I feel like most of the time the employers (named insured) are aware that I’m working on their files as a resource. Oftentimes I can be involved in the claims review process to help bridge some of the gaps that may be present, with the knowledge to move that file forward. 

 

However, It depends on the account and the type of policy that’s written because they (the insured) may be hands-off. They may have paid their deductible and then the claim is no longer the named insured’s problem. So they leave the claim up to the carrier going forward. 

 

You mentioned once their deductible is paid they often have a hand-off approach because it is no longer ‘their money’. Does the claim, the amount paid on the claim, and the amount paid from the deductible have an effect on their insurance? 

 

It has an impact on their rating. It affects their E-Mod (Experience Modification factor rating). What this means is when the insured goes out into the market place the following year when they are up for renewal,  that claim may show up. the incurred (paid + reserve) impacts their ability to be written for new insurance and essentially tells them what premium they’ll be paying.

 

From what you just told me, it doesn’t make sense for the insured to take a hands-off approach? Does that sound fair? 

 

I certainly think that they (the insured) should be involved because this directly affects and impacts their future with Mod ratings and what they’re going to pay for in the future. But many people still take the backseat approach. 

 

Though this often depends on the level of comfort they have with their carrier. So while I say it’s a backseat approach. It may seem a little hands-off because they feel confident in their carriers’ ability and what we put forth.  They know that we’re going to mitigate their losses as much as possible to bring it to a resolution. 

 

That’s a great point. I imagine this is true with a long-standing client, a company who’s been insured with you for a long time, they know the team and have the same players handling their claims, and they can kind of step back because they know that your team has their best interest at heart.

 

Seasonal/Winter Claims

 

So you’ve seen it all, as you’ve climbed the ranks in insurance and the claims world. Is there one type of claim you encounter where you just roll your eyes when it comes because it is the most common type of claim? This could be a winter claim, an industry-specific claim. 

 

I call them your classic injuries. The two most common ones that are seasonally driven are your slip and falls. They are the most common denominator in terms of what you see for December, January, February March claim volumes that come in. Slip and Fall will rank really high for what we see. 

 

Aside from that, lifting injuries are common as well. 

 

Are these injuries specific to a particular industry?  Do you only oversee construction, real estate, healthcare or are these claims kind of general and not industry-specific? 

 

I think claims like these are industry-specific. Your transportation carriers/delivery services, you typically see slip and falls from the parking lots or while they’re making a delivery to someones’ home. The same goes for lifting injury, that’s primarily where you see those.

 

 Construction is a fall from heights, that’s typically the most common one.  

 

Then the healthcare we see lifting injuries because your home health aides, they’re typically assisting with a client/patient, having to maybe get them up out of bed. Some of those patients are unable to help themselves get up, and typically these employees have to just lift 150 pounds to 200 pounds by themselves with no assistive device to help them do that. We see a lot of lifting and back injuries & neck injuries from that.

 

It sounds like our essential workforce, especially during COVID times are the ones getting injured the most.

Yes. I can agree with that. 

Most Expensive Claim That You Personally Have Seen 

 

What is the most expensive claim you’ve seen? For clarification when I say the most expensive claim it can be a specific body part that is a high dollar amount.

It depends on how high you’re looking to go. I’ve seen some claims that are multi-million dollars.

 

What was that? A multimillion-dollar claim? What was that Injury? 

 

Without disclosing too much detail, one employee rode in the back of a pickup truck of another employee, as they departed the employer’s location and a severe injury was sustained. It’s a multimillion-dollar claim because this employee needs 24/7 care and will need to live in a facility probably for the rest of their life. 

 

That’s tragic and I don’t think many insureds think about claims on that level. Maybe large corporations, like the transportation organizations we discussed earlier (UPS, FedEx, DHL.) Those companies have a large workforce at a national level, so maybe they’re more familiar with those. But smaller commercial clients, don’t see or even think that this could even happen, and now they’re looking at a multimillion-dollar loss that they didn’t budget for when running their business. 

 

Absolutely, and when we start to look at what happened and gather the facts around the event we start to ask questions like “What is your policy about having employees on site after work?” and if there is any surveillance footage of the location and what was actually happening. 

Having that information and the punch cards to show when they came in and when exactly they left.  in a lot of states, there are a number of “coming and going” rules that would either support the acceptance of or denial of that accident/injury, being considered within the course and scope of employment.

 

This ties into my next question, from your side of things I’m sure it’s frustrating when these claims, and you see that more could have been done from the insured standpoint. How can the client help in the claims process so it doesn’t get to your level? At least so they do everything they possibly can to help your team out, to help the adjuster out before it gets to you and it becomes a multimillion-dollar claim.

 

What we see very often, and in the example, we just talked about this claim wasn’t reported to us until several months after the accident happened.

 

Wow. 

 

It is so important to get it to us, even if they are not sure if it would be covered under Workers’ Comp. Oftentimes they (the insured) might think it’s covered under liability or if it’s a motor vehicle accident they strictly put it in as an auto claim. 

 

My advice would be to file that incident report, that first report of injury as soon as the incident happens. Let the carrier investigate it and be sure to really partner with the carrier to ensure that you’re getting them the information that they’re requesting. Preserving any evidence is crucial as well. 

 

So if you have surveillance footage be sure to take that and send it over right away. Witness statements are critical.  When you speak to someone right after an event happens the event is going to be right fresh in their head.  As opposed to trying to track someone down a few months from now, or even a week from now, their recollection of the event might vary. These witnesses might have also spoken to other employees about things being said around the workplace and you risk getting a skewed version of what actually occurred. 

 

Even include the profile for the employee: what’s going on? Oftentimes you’ll see they’ve run out of vacation time and now they’ve filed this claim. Then, we learn from other employees that this person was just taking a vacation. So all that information about what’s going on in this employee’s life and other things they’re aware of like disability claims that were previously filed for this employee in conjunction with just responding to the investigation as soon as it happens is pivotal.

 

I gather that a lot of times in an instance where this doesn’t happen, the insured is afraid of the repercussions and the carrier is going to penalize them. However, you don’t get penalized for doing the right thing, which is if you know something happened, report it. This way the carrier can work with you and guide you and do the investigation early on instead of 4 months out. 

 

So circling back to the example you gave us. What happened in the time it took for that event to hit your desk? 

 

In this situation, it was a case of “Everything that can go wrong, did go wrong.” The insured originally never put it through to workers’ comp. Why? 1. They were trying to pay for anything out of pocket to avoid having the claim show up on their claim history. Secondly, they heard this employee had passed away. The employer didn’t realize that the employee had survived the accident. 

 

Once we finally did receive the claim, the employees that participated in the internal investigation before it reached the carrier were no longer available for comment. 

 

This sounds interesting.

 

I’m not sure if that answered your question, but I’m not sure if this approach helped anybody because the state where this incident occurred is a state that requires you to get prior authorizations, and the employee already incurred several million dollars worth of care before this claim even reached us. There was no direction and we couldn’t negotiate the rates with the home healthcare. At this point, we’re trying to go backwards to try to project what could occur in the future. 

 

What a mess. 

 

This approach doesn’t work well from the financial standpoint either because it doesn’t help the injured worker and then the carrier is trying to quickly piece together to make a decision before the state’s deadline for when you have to file a decision. There is a lot of scrambling. 

 

This sounds so stressful. The insured may be able to self-pay but those accidents need to be very minor. Even if the insured does self-pay there are still forms that need to be filled out and the insured is required to keep them on hand but it sounds like in this instance it was a major accident, to begin with. 

 

Thank you so much for sharing. This touches on what a lot of clients are asking and are worried about. At the end of the day, they all want the best insurance rates and the best insurance coverage, but the only way to achieve that is cooperation and reporting things timely when an employee is injured. 

 

It sounds like in this instance the insured didn’t try to reach out to the injured employee because they didn’t know if he was still alive.

 

There was no contact made. In fact, it was asked for us to not contact the family until we (the carrier) had the full scope of what was going on because at that point we didn’t want to contact the family and give them unrealistic expectations of what would be covered.  The insured definitely learned a lesson on what not to do next time. 

 

Something as simple as reaching out to the employee who was injured, or reaching out to the family if you can’t get the employee,  and they’re not showing up to work is a big step and a huge help to the claims team and to the employer as well. They should know where their employees are. 

 

I find it very important for the employer to be engaged in this process. Whether they are a short-term or a long-term employee. Following up and showing that area of concern, asking them when they might return to work. It makes that employee feel valued. It could also result in a quicker return to work.

 

A great point you’ve touched on. 

 

The employer/employee relationship  

 

I ran into an issue where I was trying to encourage one of my clients to reach out to an employee that had gone MIA for a little bit. Their response was they didn’t want to because they were afraid that the employee would consider it harassment and the employer’s view was “this employee is out on workers’ comp. We have no right to speak to them.”

 

I think a lot of insureds feel this way:  once the employee is out on workers’ comp they’re not allowed to speak to the employee. But, what you’re telling me is this is not truly the case. 

 

To my knowledge, there is no employment law that prevents the employer from checking in on their employees. Disability does that to check in with their employees to check-in and see how they’re progressing and how they’re healing. The employer may not be able to ask directly “When are you returning to work” but they can ask how they’re progressing. 

 

Depending upon the relationship between the employer and the employee, the employee may be forthcoming with more information. 

 

A lot of times these folks are just home and don’t have many other people to talk with. A lot of them are isolated, working-class individuals. So their family, friends, and everyone else is at work, so they’re longing for social interaction. The employer reaching out shows the employee that they’re concerned about their wellbeing and the employee can be eager to come back.

 

It sounds like this is just the kind thing to do. 

I don’t know of any law that stops someone from doing that so we encourage reaching out to the employee. 

I wasn’t meaning this from any legal standpoint. I just meant a lot of employers are like “Well they’re out on workers’ comp. We’re not talking to them”. They’re still your employees.

Especially when some of these employees have been with the company for 15+ years. How do you let this accident happen and not show empathy or concern for how the employee is doing? I think from the carrier side of this we’re in situations where we can’t have direct contact with the employee because they’re attorney represented. Therefore the employer is our outlet to keep us updated.

 

Oftentimes they (injured workers) go to a doctor’s appointment and they give their employer a call with an update: “I just went to my  Dr.’s appointment and I’m going to be out for another 4 weeks. I need to go to physical therapy and then go back to the Dr.’s.” 

 

As a carrier, it takes us a longer route to get this information because we have to call the provider to get information, and sometimes it takes two weeks plus to get the office notes, depending on how long it takes the physician’s office to have their notes dictated. 

 

It’s often helpful to the carrier if the employer maintains that relationship with the employee. It can help get that person back to work sooner, which benefits the claim. 

 

You’re detailing a really important dynamic which we try to communicate to our clients, and it’s nice to hear the same from you, another claims expert. It’s a group effort and the insured is a key player in how these claims can end up. It starts with keeping in contact. Once the adjuster loses contact with the claimant due to attorney representation it sounds like the employer is the key person to maintain that contact and relay important information to you guys. 

 

I think that this is something a lot of people often overlook because it’s not common knowledge.

 

Exactly what I was saying. 

 

This has given us a lot to think about, to share with our clients. Is there anything else that I didn’t touch on that you were hoping to talk about? Any inside scoops.

 

You know, I gave an example of a catastrophic claim and there are other claims out there. What I think is always a challenge for employers is the accident description itself. Sometimes that’s where they start scratching their head. The employer starts asking themselves “Do I report this? Do I not report this? Should I be taking a hands-on approach? Do I let the claims team just handle it?”

 

The employer may not want to reach out during the investigation period, because the employee may start asking questions that they don’t have the answers to. 

 

Right. 

 

I’ve seen all sorts of things, and the issue is that there are various grey areas in claims that can affect whether or not the claim will be accepted by the carrier. 

 

You mentioned some of the more common areas of claims and can some of those be prevented? 100% Yes, but some will inevitably happen. The other side of this is the quicker we can get these resolved, and the greater involvement we can have earlier on, the more likely we will help the injured employee return to work sooner. The more we can do to prevent these accidents from occurring, the safer the staff is and the better things can be. 

 

Risk Management 101. Preach! Thank you so much for your time. Our fireside, Vanity Fair-esque interview. This was a lot of fun! I may be reaching back out to you for a summer edition of this!  

 

Claims management is an integral part of your insurance purchasing process. If you have any questions or need help with claims management within your organization contact one of our Metropolitan Risk Risk Advisors for information on our available programs. 

Claims Management, Construction Practice Group Content, Line of Insurance, Risk Management, Workers Compensation Insurance

Protecting Your Workforce From Winter Related Illness

Winter weather creates new challenges for employers trying to protect their employees from work-related accidents. Snow and Ice. How are you protecting your employees from potential slip and fall incidents related to snow and ice? According to OSHA, 20% of all workplace injuries are due to trips, slips, and falls. 

Types Of Cold Related Illness

Every year, around 1,330 people die of exposure to the cold. These deaths are preventable with the proper clothing. The four types of Cold related illnesses are hypothermia, frostbite, chilblains, and trench foot.

Hypothermia

When your body is exposed to cold temperatures, the body begins to lose heat faster than it can be produced. Prolonged exposure will eventually use up the body’s stored energy.

Signs of Hypothermia:

Early Symptoms

  • Shivering
  • Fatigue
  • Loss of coordination
  • Confusion and disorientation

Late Symptoms

  • No shivering
  • Blue skin
  • Dilated pupils
  • Slowed pulse and breathing
  • Loss of consciousness

First Aid for Hypothermia

  1. Move employee to a warm room or shelter
  2. Remove their wet clothing
  3. Warm the center of their body first-chest, neck, head, and groin-using an electric blanket, if available; or use skin-to-skin contact under loose, dry layers of blankets, clothing, towels, or sheets.
  4. Warm beverages may help, but do not give alcoholic beverages. Do not try to give beverages to an unconscious person
  5. After their body temperature has increased, keep victim dry and wrapped in a blanket
  6. If the victim is unresponsive begin CPR

 

Frost Bite 

Frostbite is caused by freezing. It causes loss of feeling and color in the affected areas. Frostbite most commonly affects the nose, ears, cheeks, chin, fingers, and toes. It can cause permanent damages to body tissue and severe cases can lead to amputation. 

 

Symptoms:

  • Reduced blood flow to hands and feet (fingers or toes can freeze)
  • Numbness
  • Tingling or stinging
  • Aching
  • Bluish or pale, waxy skin

First Aid

  • Get into a warm room as soon as possible.
  • Unless absolutely necessary, do not walk on frostbitten feet or toes-this increases the damage.
  • Immerse the affected area in warm-not hot-water (the temperature should be comfortable to the touch for unaffected parts of the body).
  • Warm the affected area using body heat; for example, the heat of an armpit can be used to warm frostbitten fingers.
  • Do not rub or massage the frostbitten area; doing so may cause more damage.
  • Do not use a heating pad, heat lamp, or the heat of a stove, fireplace, or radiator for warming. Affected areas are numb and can be easily burned.

Chilblains

 Chilblains are the inflammation of blood vessels in the skin in response to repeated exposure to cold but not freezing air. 

Symptoms

  • Small, itchy red areas on your skin, often on your feet or hands
  • Possible blistering or skin ulcers
  • Swelling of your skin
  • Burning sensation on your skin
  • Changes in skin color from red to dark blue, accompanied by pain

First Aid

  • Keep hands and feet warm and dry
  • Wear gloves & socks
  • Change damp gloves and socks when needed
  • Move affected person inside

Cold related illnesses aren’t the only hazard that an organization faces with winter. Slip and fall injuries are more prevalent in the winter as well.

Cyber Liability Insurance, Risk Management

Social Engineering:A Growing Cybersecurity Risk

Social Engineering

This past summer we wrote an article about the dangers of social engineering and how to prepare your organization for a socially engineered cyber attack. To reiterate: Social Engineering is the use of fraud to manipulate individuals from their personal information. This means driver’s licenses, passports, medical records, and bank information, are all examples of records that can be accessible to social engineers to steal information from you.

Why you and your organization should be aware of Social Engineering 

Social engineering can impact your personal data as well as your business’s data. These cybercriminals rely on the ability to manipulate individuals rather than hacking computer systems to invade a target’s account. Hackers know not to go through any protected systems because humans are much easier to break down. Hackers find out any small piece of information and take advantage of human weaknesses to gain access to personal information. Thus, playing an important role in individuals educating themselves on these cyber risks and their extreme dangers to your confidential information.

Attack methods

Social engineering has three types of styles and methods in using psychological tricks to steal your personal information.

Physical Social Engineering Attacks

Starting with Physical social engineering, hackers attack by dumpster diving or tailgating, trashcans, open access to the property and office receptions are also examples of the typical vectors associated with physical social engineering.

Technical Attacks

Technical social engineering attacks by password hacking and online profiling and the typical vectors include malware, unsecured network systems, and social media.

Socio-Technical engineering

Socio-Technical engineering attacks by phishing and watering holes, the typical vectors include emails, social media posts and compromised websites.

Social media

Social profiling is one of the easiest ways in hacking someone’s account in gaining information from that person to use against them and steal their identity. The problem and potential impacts grew from the popularity of social media platforms; social media users are a gift to social engineers since all their official records are online. For example, A social media post “I hate my job” can attract hackers. The post will be noticed and the hacker will get personally target the individual.  The criminal will pose as a bogus recruitment consultant will extract personal information as a trusted source. These social engineers have worked profile by profile to build targeted social profiles; through analysis of information, social media posts, pictures, or any holidays/birthdays.

Where are cybercriminals investing?

To understand more about cybercriminals and social engineering, the use of phishing techniques is now very well-established in cybercrime. New techniques are coming out every day when it comes to cyber threats. These techniques include social profiling, fake voices, deep fake voices, and mouth mapping. The growing performance of computer systems have made mimicking specific voices possible. The majority of investment goes into, “voice conversion” and “text-to-voice.” Voice conversion involves two voices (the source and the target) and the application of software to convert one voice to another. text-to-voice conversion allows a mimicked voice to say whatever the user of that software submits via text.

Researchers expect full voice conversion and text-to-voice to be available services on mobile phones and create mimicked voices in about 3-5 years; this will conclude into serious economic/political consequences of cybercrime. Mouth mapping is another technique that is becoming popular in cybercrime; this includes, complementing existing fake voice technologies and is well suited to political and journalist targets. This technique is also applicable to social media and web conferencing.

A solution to Social Engineering

Social engineering is a crucial component of any written policy on cyber liability protection relating to individuals and companies.  With this in mind, make sure you and your organization have cybersecurity awareness training to recognize the specifics of cybercrime and social engineering; bits of pieces of information given to hackers from different user’s accounts without the users even being aware of it. Putting into place, risk management, frameworks, security strategies, and analytics tools will consider the threat.

At Metropolitan Risk, we offer a comprehensive Cyber Risk Assessment to ensure that businesses are protecting themselves from cyber attacks with the best resources possible. Click here if you are still looking for more info or you have any questions. We have a team of Risk Management specialists who are here to help!

Cyber Liability Insurance

Email Attachment File Types That Can Potentially Contain Malware

With more departments working remotely, an email from the IT department asking for remote access to your computer isn’t an unreasonable find in your inbox. Cybercriminals know this.

Malware in the form of an email attachment is the easiest way a cybercriminal can attack an organization. Using Social Engineering, cybercriminals can pose as job candidates easily convincing HR departments to open files like “resumes.docx” without considering that a link or file may actually be Ransomware or Keylogging software.

With more organizations operating remotely, an email from the “IT Department” asking employees to update an organization’s software through an email attachment isn’t a far reach, especially in a time where fewer employees are commuting to the office and digital communications are at an all-time high.

Emails from cybercriminals posing as trusted sources are a common phishing scheme that can cost organizations. Some schemes are socially engineered to pose as a coworker asking to send gift cards, others are hackers sending malware via attachment.

What is Malware?

Malware is any software designed to disrupt, damage, or gain unauthorized access to a computer system. Malware can lay dormant on an organization’s systems for months before activating. In some cases, this malware can be linked to software that isn’t hurting anything on the network but is just gathering information for cybercriminals.

Files That Are Commonly Attached To Email 

These are the most common types of files attached to an email.  If you receive an email from an unknown sender, email the sender back before opening any attachments.

  • .Txt Files that end in .Txt are typically safe to open. There have been instances in the past where cybercriminals have sent out mass emails that appear to be .txt files, but really have an additional extension that was no displayed by most email programs. As soon as users opened what they thought was a .txt file, the other extension ran instead.
  • .PDF PDFs are also considered safe to open. However, there have been known cases of security gaps in programs that open.PDF files. Even though these files are typically safe top open. Verify that the sender is someone trustworthy before you open the attachment.
  • .doc/.docx/.xls/xlsx/.ppt/.pptx Microsoft Office Documents of all types are very commonly manipulated to contain malware. Microsoft Office created .docx to help mitigate the number of macro viruses that could be attached to files that ended in .doc. If you receive a file that ends in .doc ask the sender to resend the file as a .pdf
  • .jpg this extension is often used to camouflage executable programs. If the full file extension does not show on your email program you could face challenges or malware.
  • Compressed Files .zip/.rar can have malware embedded in them that is released as soon as the file is opened. These files should not be opened from any unknown senders.
  • Executable Files- Most email providers now filter for this file type and block emails with these files attached to them. Executable files can contain anything from legitimate software updates to actual malware.
At Metropolitan Risk, we offer a full cyber evaluation to help your organization recognize its digital strengths and weaknesses. Click here to request a Cyber Evaluation or call 914-357-8444 to speak with a Risk Advisor.
Cyber Liability Insurance, Risk Management

Data Privacy Day

What is Data Privacy Day and why it’s important to your organization?

Data Privacy Day is January 28th. First, It honored the signing of convention 108 in 1981, next, it was the first permanent international treaty that is in control of the users’ personal data, then, Data privacy day occurs every year after the signing; the National Cyber Security Alliance (NCSA) pushes individuals and businesses to take part.

The National Cyber Security Alliance encourages individuals to take action and  “Own Your Privacy” by learning how to protect their important data online. Businesses are also encouraged to respect an individual’s privacy and also holding organizations responsible for keeping an individual’s information safe & ensuring fair data processing.

Businesses encouraged to “Respect Privacy”

Individual Data Privacy

Individuals are starting to feel like they are no longer in control of their own personal data.  They can learn about what kind of data they create online. For instance, how the data is being collected, shared, used and stored on the web.

Your personal data is valuable. Do you know what information you’re sharing with businesses? Sale history, IP address, your location; hence, these are a tremendous value to businesses. Make smart choices when sharing data with businesses that ask for personal data.

Keep track of what Apps are asking for access to your information. Apps ask for access when it comes to location, contact lists, photo album or connect to other apps. In other words, Be thoughtful on which apps ask for permission to personal data, when it is not required for some to do so with the services they offer. Many Apps, will ask for permission to data they don’t need for you to use their services

Manage Your Privacy Settings Across All Platforms. Check the privacy & security settings on the web and all apps. Afterward, set the privacy settings to your comfort level on how much you want to share & what.

Business Data Privacy

Businesses have to respect consumers’ privacy because it is a smart tactic for gaining trust and enhancing reputation/growth in the business. Here are some tips on respecting privacy as a business.

Protect the data you collect. An intentional/unintentional release of confidential information to an untrustworthy source leads to financial loss, a decrease in customer trust, and a loss in reputation. Make sure the private data that is being collected, is processed in a fair manner and is only to be collected for appropriate purposes.

Conduct a Cyber Risk assessment. Understand which privacy rules apply to your business and educate your employees to protect your personal information. At Metropolitan Risk we offer a comprehensive cyber risk assessment to help your organization create a strong cybersecurity plan

Maintain Data Transparency. Be open & honest on how you collect, share, and use private information from consumers’.  For instance, make sure to let your audience know that you take the proper steps in accomplishing & maintaining privacy.

Sustain oversight of what data your partners & vendors are using and how they manage it. If another partner provides services on behalf of your organization, you are also responsible for how these vendors/partners collect & use your customers’ personal data.

If you would like more information on how to keep your personal data safe and secure, contact one of our Risk Advisors today or call 914-357-8444.

 

OSHA, Workers Compensation Insurance

OSHA 2020 Workplace Injury Reports Due By March 2, 2021

The Occupational Safety and Health Administration (OSHA) reminds employers that it began collecting 2020 workplace injury data on Jan. 2, 2021.

When are OSHA 300A Reports Due?

All OSHA 300a records must be submitted electronically by March 2, 2021.

Organizations with 250 or more employees are currently required to keep OSHA injury and illness records for up to 5 years. OSHA requires that all organizations submit their injury and illness data for 2019 electronically by March 2, 2021. You can submit records electronically through the Injury Tracking Application available here.

The form to used is OSHA Form 300A Summary of Injuries. Current and former employees have the right to request further injury records via the OSHA 300 Report. It’s very important that you true up your OSHA 300 reports for the year then complete the OSHA 300A report and post it on-site or sites. Failure to do so can trigger fines and or an investigation by OSHA. OSHA can swing by and ask for evidence of your compliance at any time. Need help? Download our updated OSHA Reporting Guide for 2021 and share it with HR & or Safety Compliance.

F.A.Q.s – CLICK HERE TO VIEW OSHA’s FULL LIST OF F.A.Qs

What is a recordable incident? 

Check out this flowchart.

What is a reportable incident?

Check out this flowchart.

Do I need to fill out an OSHA 300A log for every location?

You must keep a separate OSHA 300 Log for each establishment that is expected to be in operation for one year or longer.

Do I need to keep OSHA injury and illness records for short-term establishments (i.e., establishments that will exist for less than a year)?

Yes, however, you do not have to keep a separate OSHA 300 Log for each such establishment. You may keep one OSHA 300 Log that covers all of your short-term establishments. You may also include the short-term establishments’ recordable injuries and illnesses on an OSHA 300 Log that covers short-term establishments for individual company divisions or geographic regions.

Some of my employees work at several different locations or do not work at any of my establishments at all. How do I record cases for these employees?

You must link each of your employees with one of your establishments, for recordkeeping purposes. You must record the injury and illness on the OSHA 300 Log of the injured or ill employee’s establishment, or on an OSHA 300 Log that covers that employee’s short-term establishment.

How do I record an injury or illness when an employee of one of my establishments is injured or becomes ill while visiting or working at another of my establishments, or while working away from any of my establishments?

If the injury or illness occurs at one of your establishments, you must record the injury or illness on the OSHA 300 Log of the establishment at which the injury or illness occurred. If the employee is injured or becomes ill and is not at one of your establishments, you must record the case on the OSHA 300 Log at the establishment at which the employee normally works.

 

Cyber Liability Insurance

Risk of a Common Password and Ways to Avoid it (Infographic Inside)

Using a common password leaves your organization at risk for cybercriminals to attack your account. Let’s add password protection as a major component in your organization’s cybersecurity plan.  The risk of a common password is tremendous, and you should avoid having one at all costs.


Did you know:

  • 4.7% of users have the password password;
  • 8.5% use as their password : password or 123456;
  • 9.8% use as their password : password, 123456 or 12345678;
  • 14% have a password from the top 10 passwords used.
  • 40% have a password from the top 100 passwords used.
  • 79% have a password from the top 500 passwords used.
  • 91% have a password from the top 1000 passwords used.

 

What does this tell you? Think twice before you make “abcdef” your next password. According to a study from SecurityCoverage Inc., if a password contains just six lowercase letters, especially if it’s a common word or combination, a cyber-thief can figure it out in 10 minutes!

However making a six-character password that has numbers AND symbols boosts complexity enough that a skilled hacker would need 16 days to break it, the study found. A task that is most likely not worth doing for that hacker.

Some sites now require a password with at least 1 uppercase letter, one number. and maybe a symbol as well. This is a step in the right direction even if it makes remembering your password just a little tougher. A simple and easy to remember example of this would be “Money17$.”

The real security of course comes from those dreaded passwords that are generated for you. They contain a longer password, of at least 8 characters, with a random order of letters, numbers, and symbols. These are nearly impossible to remember. However, an eight-character password with random letters, numbers, and symbols will take 463 years to break according to the same study. Nine random characters will take a whopping 44,530 years.

“People are careless because they don’t understand the threat said Ed Barrett, VP of marketing for SecurityCoverage.” LinkedIn was compromised in June and had 6.5 million passwords leaked. Yahoo had 6 million passwords stolen as well.

Another important consideration, don’t use the “show typing function” as you type your passwords. Many hackers don’t bother hacking at all but rather infect your employees’ computers with a virus that shows their keystrokes, thus the passwords.

The fact is you can either use strong complex passwords and have trouble remembering them or use simple, weak passwords and suffer from the risk of being hacked. We are not recommending a password of “nif$g*u3ng64dsf7” like a security expert would love as we understand the frustrations and hassle of remembering 20 passwords. We are advising that the next time you make a new password, especially for an important account, that you add some complexity to it. Go back to your most important accounts, like your bank account, and add a few numbers. It will greatly help in reducing your risk.

For a FREE comprehensive Cybersecurity evaluation, CLICK HERE.

General Liability Insurance, HR Challenges, Workers Compensation Insurance

Should We Require Our Employees To Be Vaccinated For Covid 19

Should my company mandate vaccinations?  Like everything Covid related, the answer is complicated. According to employment law attorney  Rich Landau of Jackson Lewis, their tentative position is that requiring employees to be vaccinated for COVID 19 is very difficult to mandate. This is primarily due to EAU (Emergency Use Status) of the vaccine, legal risks including discrimination, and employee relations challenges as you try and navigate this HR terrain.

 

For those clients less risk-averse we have a sample draft policy courtesy of Jackson Lewis. For Metropolitan Risk clients you can obtain the sample Covid vaccine policy by contacting your Account Executive. They are instructed to give you our draft sample. If you are not a Metropolitan Risk client, feel free to reach out to one of our Risk Advisors for a brief discussion.

According to our THINK HR partner and our partners at Jackson Lewis, there is an expectation that the EEOC ( Equal Employment Opportunity Commission ) will issue additional guidance with respect to ADA & Title VII issues with respect to employers mandating whether employees MUST be vaccinated.

 

Our partners in our discussions point to the influenza policies for guidance on how to proceed with the Covid vaccinations. Most employers ENCOURAGE rather than mandate which can be a safe haven should legal challenges arise. According to Rich Landau of Jackson Lewis, “even if the EEOC allows employers to mandate COVID vaccinations this will not elevate the risk of other non-discrimination, state laws, or workers compensation claims if employees suffer a serious reaction while the vaccine is in EAU status.”

There are numerous complications and challenges that may arise if you mandate the vaccine.

Potential Employer-Related Challenges With Requiring/Encouraging The Covid-19 Vaccine

  • Is getting the vaccine Mandated or voluntary – – who is mandated?  
    • The priority of recipients (Which staff members or clients should be vaccinated first?)
  • Incentives to receive it- Does your current organization offer incentives for the Flu shot? 
    • Covid-19 vaccine only or influenza as well
  • Who pays for the actual vaccine, the time needed to get the vaccine
  • Process for inoculation
  • Tracking status
  • Handling poor reactions – – paid time off
    • How are you managing employees or clients that have adverse reactions to the vaccine?
  • Ensuring confidentiality
    •   What if you run out of the vaccine
  • Covid-19 protocols while in midst of process/after the process is completed
    • What protocols will stay and what protocols will change? How will you as the employer manage these new expectations?
  • Addressing exceptions – – medical, religious, generalized fear
  • Handling non-compliance – – remote work, leaves of absence, discipline

The last point to consider beyond your Employee stakeholders maybe your customer base. As an example for those companies providing services to senior care organizations, like Home Health Care Agencies, Nursing Homes, and Assisted Living Facilities it may be suggested that you disclose to your customer base that your organization suggests, not mandates vaccinations. This disclosure should be made at either point of sale /contract, or communication piece sent out to your customer base. This may protect your organization from liability should your customer base look for damages at some future point. This can be a very sensitive topic as each business needs to arrive at its own business decisions with respect to disclosures. There is no silver bullet here, your goal as with all risk-related decisions is to manage the exposures relative to potential downside losses in BOTH columns of the decision tree.

As you can see invoking a set vaccine policy to benefit all stakeholders is vexing, to say the least.

We will continue to provide updates to this new landscape as we receive them. We encourage you to speak with a Risk Advisors for further guidance on the matter BEFORE invoking a set policy. Please mindful that this is a very dynamic and fluid landscape, changing almost weekly. Contact a Risk Advisor at 914-357-8444. Thank you

Insurance Brokerage and Risk Management

Exit mobile version