Tag Archives: Business Continuation

Having a form of business continuation whilst the lock-down is occurring may save your company from going under.

Commercial Property, Other

Having The CORRECT Business Interruption Insurance Determines If Your Business Survives

Business Income Insurance or Business Interruption Coverage is not only the most often overlooked insurance coverage, but the error rate in how it’s calculated is over 90%, and I am being generous here. Skeptical, pull your policy. My guess is your current agent or broker just applied your gross sales to arrive at the Business Interruption limit, or worse if it’s actual incurred loss it’s only for 12 months. I love actual incurred loss, what it should state is “Actual Incurred Loss As Calculated By The Insurance Company”. Yes, there is a HUGE difference.

 

Imbedded in most insurance policies are provisions for “business interruption insurance” or “business income” . It’s these provisions that provide coverage for loss of critical business income that provide the financial sustenance for a business to survive. Simply because your business suffers a loss, your bills don’t stop. I know my landlord at Bridge Street in Irvington NY wants his check on the 1st of each month, regardless of any business or personal tragedy. He knows his bills keep coming as well, it’s a vicious cycle. Thus quite often you have insurance to help bridge the financial gap between the revenue that your business would have enjoyed except for a covered event. How the loss is calculated and ultimately reimbursed is an article all by itself, and it differs depending on what type of business you are in, (i.e. manufacturer, restaurant, retail wine merchant, hotel).

 

If NY Business Interruption Insurance is deemed critical to the survival of your business we suggest performing a Business Income Stress Test. Quite simply what we do is offer up two or three likely claim scenarios that would potentially keep most C.F.O.’s up at night. We overlay your companies current financial’s, ( P&L , Balance Sheet), and apply the insurance carriers formula for calculating the business interruption portion of the loss which is contained in your insurance policy. In each claim scenario, we show you what your potential shortfall is BEFORE the loss occurs which is a critical point. To perform this calculation after the event is called a CLAIM, which at that point is simply P&L triage to get you through the month.

 

It’s absolutely essential that this stress test be performed on every business. In our business we can pick up and move to a temp facility provided there is power, and be operational in a matter of hours. A NY Wine Merchant, or Westchester NY Restaurant cannot. Understanding your cost structure, what is and is not reimbursable, and planning for it upfront quite often is the difference between life and death for many small businesses because they don’t have the financial cushion or the credit lines to make up the difference. The insurance proceeds from business interruption, or business income claim is the only financial lifeline.

 

If you are interested in seeing how your business would fare in our proprietary Business Income Stress Test, please speak with one of our Risk Advisors or call 914-357-8444.

Cyber Liability Insurance, General Liability Insurance, HR Challenges, Line of Insurance, Loss Control, Risk Management

Secure Your Organization Using Multi-Factor Authentication

In a time where most organizations have transitioned to remote work, cybercriminals have doubled down on network attacks. The FBI recently released a statement saying that cybercrime attacks are up over 300% since 2019. Cyberattacks range from ransomware baked into spam emails to phishing emails posing as trustworthy entities, to gain access to account information. One way organizations can better protect their business from these attacks is to mandate policies that direct every employee to utilize multi-factor authentication on every business account.

 

Password authenticators vary between digital & physical authenticators, as well as options that are a combination of both. Below we have listed  a few of the most commonly used authenticators:

Digital Authenticators

One of the benefits of digital verification is that users do not need an additional physical token or device for authentication.   

Email authentication

Email verification is when a user needs to click a link or obtain a code sent to their email address to verify ownership of the account they are logging into. One of the biggest problems with email authentication is a majority of people will reuse the same password for all of their important accounts.

Using email as a second method of authentication looks like this: 

  • A user logs in to a website with their username & password
  • A unique code or link is then sent to the users’ email address linked to the account
  • The user logs in to their email account, they find the code, and enter the code into the application or website or clicks the link into the email
  • If the code is valid, the user is authenticated and granted access to the account.

Cellphone authentication (SMS)

The most common authentication method is through SMS messaging on a cellular phone. This method is considered more secure than email authentication because email authentication includes the risk of the email account also being compromised.  The downside of SMS authentication is SIM-hacking can render the cellphone number useless.  

SMS Authentication will look like this for a standard user:

  • A user logs in to a website with their username & password
  • A unique code is sent to the cellular phone number linked to the users’ account
  • The user takes the 4-6 digit code off of their device and enters the code into the application or website
  • If the code is valid, the user is authenticated and granted access to the account. 

Physical  Authenticators 

A physical authenticator is more secure than digital because there is a real device that is needed to authenticate an account. This means that the user has a tangible key or an application downloaded to a physical device that is in their presence. These physical objects make it harder for cybercriminals to hack accounts.

Application-based authentication

Applications like Google Authenticator and other verification apps use a token/code to determine ownership of the account. These applications are linked to the device, not the phone number. Application-based authenticators can be as simple as a push notification going to the phone or the application, delivering a 4-6 digit code for users to enter on the website or application of the account they are attempting to access. 

  • A user logs in to a website with their user name & password
  • The website they are attempting to access will send the user credentials to the authorization server.
  • The authorization server will authenticate the user credentials and generate a token.
  • The access token is sent to the user via an application downloaded to the users’ device
  • The user inputs the time-sensitive access token into the website they are attempting to gain access to.
  • If the token is valid, the user will gain access to the website.

Physical authentication device

At Metropolitan Risk, we supply our staff with the hardware authentication device YubiKey. This ensures that our staff is using one of the safest methods of authentication. These keys are simple to deploy to everyone in your organization. These devices help promote digital security health within an organization.  

This physical device plugs into the USB port of a computer and requires a human touch to unlock the device. 

The process of using a physical authentication device looks like:

  • Launch the authenticators’ device 
  • On the account that the user wants to log into, enter the username and password as normal
  • Find the authenticator code needed in the authenticator
  • Insert the physical authenticator key into the desktop to show the credentials needed to log into the account
  • Enter the code on the website
  • If the code is valid, the user is authenticated and granted access to the account.

Developing An Organization-Wide Plan To Implement Multi-Factor Authentication 

Once you’ve decided on a method of multi-factor authentication, your next step is execution. The size of your organization will determine how you implement this plan. While working on a plan, consult your IT department, your HR department, and various managers throughout your organization. Having your entire management staff on board with a plan helps convey the agenda to lower-level employees. 

  • Have a meeting with your supervisors, managers, and IT team about your organization’s cybersecurity efforts. 
    • Discuss how you feel you’re currently doing as an organization with cybersecurity to determine weak spots in your plans. 
  • If your organization is not currently using any method of multifactor authentication, determine which method would be best for your organization. At Metropolitan Risk we always suggest a physical key device.
    • Create a list of pros and cons for each authentication method and determine which is the best fit for your organization.
  • If you’ve decided to use a physical authentication device, determine which physical device is best for your organization.
  • Distribute the authentication devices and instructions to your employees
    • Make sure all employees are on the same page with how to manage this new software. 
    • Include additional information on how to install the authentication devices and how to better manage passwords and other important digital assets
  • Provide additional training to any employees who are struggling with updating their accounts with the new cybersecurity measures. 

Remember, cybersecurity only works if the entire organization is working towards the same goals. 

Metropolitan Risk is here to help your organization overcome obstacles that can affect your organizations’ operations. Contact A Risk Advisor to book a meeting to discuss cybersecurity challenges that may be affecting your business’s insurance coverage or Call 914-357-8444.

HR Challenges, Risk Management

Resuming Business Operations During Covid-19

Foremost on most organization’s agenda is how do we resume operations in a COVID-19 world? Candidly it’s a bit complicated contingent on a great many factors. Here’s a very short list of some contingencies.

What does your operation look like; what do you do?  What does your service plant or office look like? How is it structured. Lastly, what’s your workflow & staffing levels to execute? Can you stagger staffing locations to create separation?   This shortlist of considerations to take to maximize the safety of your employees and customers.

At Metropolitan Risk part of our business model is to engage and vet high-quality partners that bring a risk mitigation skill set that our clients can leverage. Purchasing insurance is just another way to finance risk. The real magic and cost reductions happen when you marry the science & art of risk management with risk financing. Through the years we found our risk management recommendations weren’t always followed through because our clients lacked a network of these highly skilled individuals and firms by discipline.  Thus we thought we would make it easier for our clients to engage the necessary resources.

For purposes of today’s article, we partnered with Rich Landau of Jackson & Lewis. One of the preeminent employee law firms in the country. Rich was kind enough to share a LIST of things to consider as we begin to emerge from our COVID-19 induced stasis. Understand that this list is long and does not apply universally to every business. Think of this list as a general idea of what to consider as you make your own list to re-open.

 

Click here to download the list of suggestions to resume the operations of your organization in a COVID-19 world. 


For those of you who are Metropolitan Risk clients, we encourage you to speak to your Risk Advisor for assistance on how to build your own list. 

General Liability Insurance, Other

Conducting An Organization Wide Phishing Test

Remote operation of your business means that protections your office building had, your employees’ homes may not. Cybercriminals are taking advantage of this situation by phishing out your employees’ data. Take the time to educate your employees on cyber safety. This safety training needs to expand beyond just email safety but also include cyber safety within the office. 

How To Conduct An Organization-Wide Phishing Test: 

Notify and train your employees on what phishing is:

If you don’t notify your employees how are they going to know what is going on? Let your employees know that you will be conducting an organization-wide phishing test. Teach your employees about the risks of phishing and how they can be better at recognizing the signs and stuff. 

Employees need to know that phishing is more than a link asking for login credentials. Phishing scams can an email sent company-wide from an unknown sender containing an attachment that is actually malware. 94% of malware was delivered via email in 2018. 

During this initial training session, define your organization’s cybersecurity expectations. Your employees can’t read your mind. Communication from management and the IT staff can help with educating your employees on cybersecurity best practices. 

 

READ MORE: Phishing Attacks Can Jeopardize A Business Of Any Size

 

Engage all relevant departments and managers on why phishing is a threat to your organization

Work closely among staff members such as managers, HR, and IT to develop and engage an organization-wide cybersecurity plan. If customer service is leaving the door open at the end of the day, your engineering department might be at risk for a cyber attack. 

Create an alias email account for your employees to report potential phishing scams.

An alias email allows for your organization to streamline your phishing reporting. The alias email address can be as simple as “Phishing@yourcompanysite.com”. This email address can redirect to the IT department or whoever is in charge of the network. 

This email address will allow your employees to forward the scam email right to an internal IT log specific for Phishing instead of going to the IT team and getting lost among other technical issues like website problems or a lost password. 

READ MORE: What You Can Do To Protect Your Business From Cyber Security Threats

 

Plan your phishing test

Plan to test your entire organization to see if there are any weak links in your cybersecurity. This means including senior management in your phishing test. To plan your phishing test, you can hire a 3rd party contractor to run the test and then measure things like link clicks,  which employees leaked information, the number of employees who reported a phishing email. 

 

 

 

Analyze important key metrics  

After running a phishing test, work with IT staff members and team managers to analyze key metrics. 

Key Metrics to keep track: 

  • The number of employees who click the link in the testing email
  • Number of employees who download a file from the unknown email address
  • The number of employees who report a phishing email to your IT staff or their manager. 

Take Action With Employees Who Failed The Test

Is there a portion of your staff who have continuously failed cybersecurity tests? Sit down with HR and IT to see what measures you can take to further educate and protect your business.  Work with HR to develop a plan for employee failure on every level. A breach in security is not a joke, but a high-level employee releasing admin information is a more serious offense than a low-level employee who only has access to email. 

Provide Your Entire Organization With Additional Information on Cybersecurity 

All of your employees can benefit from additional information on cybersecurity. Educate your employees on best practices to keep both business information and private information safe from hackers. This can include resources on different types of anti-viral software, best practices for end of day 

 

READ MORE: Ransomware is Evolving: Has Your Business Interruption Coverage? 


Retest Your Organization 

Test, test, and then test again to make that your organization understands what is at risk with their unsafe digital activity. Every 6-months to 1 year, a random phishing test should be sent out throughout your organization. This consistent retesting keeps employees on their toes and helps employers determine which employees may be at risk of falling prey to an outside phishing attempt. 

 

 

Still want more info on how your organization can better protect itself from cybercriminals? Contact one of our risk advisors at 914-357-8444. 

Resources

2019 Data Breach Investigation Report by Verizon

 

Cyber Liability Insurance, Line of Insurance, Loss Control, Practice Groups, Risk Management

Business Interruption and Ransomware

Ransomware is a type of malware designed to deny access to a person’s computer unless they pay the hacker ransom. The NY Times reports that these attacks have grown over the past year with a 41 percent increase in 2019. Ransomware attacks are a growing problem, not only in the severity of the attack but the duration of time an organization is under attack. Also, the time lost from the point of the attack to the backup security.

 

Cybercrime continues to evolve with the changes in technology. Ransomware attacks have always targeted organizations with lax cybersecurity. Today cyber criminals can embed ransomware onto an organization’s server or website and the ransomware can lay dormant on a machine/server for months while collecting data on the organization.  

 

Business owners should take the time to understand their coverage in their business interruption policies. Since ransomware attacks are becoming easier for cybercriminals to execute, business owners should look into fortifying their digital assets and make sure that they have Business Interruption Coverage in the event their business is attacked. It is scary to think that nothing can be done when faced with a cyberattack, but being prepared for the potential loss revenue/income during downtime due to an attack is just as important as preemptively assessing what cybersecurity measures your organization has in place. 

 

Business Interruption Coverage

Business interruption coverage is only going to help your organization regain some of the financial loss that will occur with a security breach. It is a response to an incident that has occurred, not a proactive approach to stopping a breach from occurring.  Without business interruption coverage your organization would not be able to report a claim to help rebuild your business’s lost data. Business interruption insurance covers any income lost due to a disaster, in this case, a disaster would be a ransomware attack or any other type of cyber attack. 

A Proactive Approach

Recognizing weak spots in your organization’s cybersecurity is one way to proactively protect your organization from cyber-attacks. Digital has become the new normal. Taking a few extra steps will protect your business assets and save your organization by avoiding a cyber-attack. A few things for your organization to consider are:

  • Select trusted and reputable telecommunication & telework software for your organization. With more organizations moving to remote work, there has been an uptick in fake telework companies.
  • Keep an eye out for Business Email Compromise (BEC). This type of compromise can be associated with fake new clients & phishing schemes targeting your employee’s personal data like business logins and banking information.
  • Use multi-factor authentication when accessing organization sites, resources and files. We previously released an article with our suggestions to prevent SIM-Hacking. Click here to read the guide and learn more about multi-factor authentification.
  • Ensure all computers & mobile devices have up to date antivirus software installed. Keep all software up to date, including website plugins, browsers, and document readers.
  • Don’t open attachments or click links within emails received from unknown senders.

 

Cybersecurity Measures To Take

Another thing an organization does is make sure your employees have the training to recognize ways that criminals attack. Ransomware doesn’t just end up on a server. They place it there through downloaded files or phishing websites.

Train your employees to recognize the signs of a phishing attack. Regularly schedule phishing tests to test whether your employees are practicing safe internet behavior. 

 

Still have questions? Still want more info? Take the proactive approach and contact a risk advisor or call 914-357-8444 to discuss how your organization can protect itself from a ransomware attack and ensure that your organization has business interruption coverage to protect yourself if an attack occurs. 

Cyber Liability Insurance

Phishing Attacks: Know the Signs!

Beware of Phishing!!!

Hackers will start with low-level employees first, making their way to executives’ accounts.

Hackers are constantly trying to find ways to hack into company accounts. They start off by sending trust-worthy emails to their employees, directing them to a scam website where they ask for them to input their username or password. Once the hacker is able to access the employee’s account, they are able to move towards sending phishing emails to higher-positioned employees, which can potentially compromise the company. 

With this access, they are able to leverage the company’s domain and send emails to others. Scammers compile phishing attacks by jeopardizing small, vulnerable businesses and compromising their trust with business partners that they work with. 

 

In phishing, it’s all about gaining the trust of the recipient, so that they click on it. 

 

There is another phishing scheme that resurfaced called “typosquatting”, or URL hijacking. With this, attackers buy domains that are slightly misspelled of popular websites, like goggle.com or yuube.com. “Spear phishers”, another term for hackers, can sometimes put in various amounts of effort into targeting a specific person. Hackers try a number of different things like creating multiple misleading webpages/websites, create fake social media pages, or fake personal blogs to trick their targets. They create these fake sites that mimic the login screens of trusted services, to get information like email addresses & passwords. 

Sophisticated hackers are willing to sell their services to specific organizations, individuals, or nation-state entities who want to steal information from someone. Some phishing providers offer networks of bots that produce fake websites, while others sell phishing toolkits to clients. 

 

Signs you’ve received phishing emails and how to Spread Awareness:

Check the Web address! Just because the address looks OK, don’t assume you’re on a legitimate site. Look in your browser’s URL bar for these signs that you may be on a phishing site: 

  • Always confirm the sender’s email. Sometimes the sender email will look legitimate until you actually click on it. When clicking on the email, you will see if the sender is actually coming from the website stated as shown. 
  • Incorrect company name. Often the web address of a phishing site looks correct but actually contains a common misspelling of the company name or a character or symbol before or after the company name. Look for tricks such as substituting the number “1” for the letter “l” in a Web address (for example, www.paypa1.com instead of www.paypal.com).
  • “http://” vs. “https://”  at the start of the address on Yahoo sign-in pages. A legitimate Yahoo sign-in page address starts with “https://” ― the letter “s” must be included. So check the website address for any Yahoo sign-in page.
  • Be leery of pop-ups. Be careful if you’re sent to a website that immediately displays a pop-up window asking you to enter your username and password. Phishing scams may direct you to a legitimate website and then use a pop-up to gain your account information.
  • Give a fake password. If you are not sure if a site is authentic, don’t use your real password to sign in. If you enter a fake password and appear to sign in, you’re likely on a phishing site. Do not enter any more information; close your browser. Keep in mind, though, that some phishing sites automatically display an error message regardless of the password you enter. So, just because the website rejected your fake password, don’t assume the site as legitimate.
  • Use a Web browser with anti-phishing detection. Internet Explorer, Google Chrome, & Web browsers other have free add-ons (or “plug-ins”) that can help you detect phishing sites.

 

For more information about Phishing & preventing a cyber-attack contact a Risk Advisor or call (914)-357-8444

 

HR Challenges, Risk Management

8 Tips To Ensure The Easy Transition From Office Employee To A Work From Home Employee Is Painless

Your organization does not need to shut its doors with the panic of a statewide/countrywide quarantine, you can offer a work from home option. With technology today, there is the potential to move non-customer facing operations to remote locations like employee homes for the time being. If this is your first time dealing with remote employees or your first time being a remote employee we have a few tips to make the experience a pleasant one.

Set Up A Designated Work Area

On a normal day, you drive to work, then sit at your designated work spot at work every day. People assume that when they work remotely, they’ll work just as hard on their couch as they would if they were in the office. Some people do, but we suggest putting your work computer in its own area. Working from the couch may be great on the first day, but what about day 10 or day 100. A home office area, even a corner in your dining area can keep you focused and can stop your work life from blending too much into your personal life.

Keep Lines Of Communication Open

Whether your decision to move from an office to a remote is permanent or temporary. Make sure that you and your employees have ways to contact each other beyond email. This could be having an all-hands meeting via GoToMeeting once a week or using programs like Slack for constant IM communications. Communicating with your team is a way to keep your employees in the loop of the situation & aware of what tasks need to be done. It can be easy to feel disconnected from what is going on in the office & the organization, so remaining engaged with co-workers is key.

Ensure Your Network & Work Programs Are Secure

The benefit of having all of your employees at one location is that you only need to worry about protecting one wireless network. With expanding to remote work means the networks your employees connect to need to be secure. Telecommuting introduces another set of potential cybersecurity risks. Make sure you speak with your manager about cybersecurity and strategies you can use for mitigating the risk of a cyber attack while you are working from your home. A basic level of security is having employees remote access their network computers through LogMeIn or other remote connectivity software.

Get Dressed

Since you’re working from home you might be tempted to stay in your pajamas and roll out of bed to your position in front of your computer. Maybe you don’t even plan to get out of bed. (We highly suggest getting out of bed and following tip 1 of this list). We suggest continuing your routine. It has been psychologically proven that the way you dress affects how you work. While you don’t need to dress business casual, you should still take the time to shower, brush your teeth and get ready for the day.

Avoid At Home Distractions

If you’re an easily distracted person or are planning to take this time to catch up on the latest Netflix series, create a space free from those distractions. Remember, working from home is a privilege. Without coworkers and managers constantly checking on you, you are free to do as you please, but your performance may slip. Stay focused on work throughout the day to maintain consistent productivity. Limit the time spent on email, social media and websites unrelated to work. Set a timer on your phone or computer, if necessary.

Self Evaluate

To ensure that telecommuting is working for you, be sure to conduct self-assessments periodically. Things to include in your assessment could include the following:

  • What is working as far as your hours?
  • What are you accomplishing in the office versus out of the office?
  • Are you meeting all of your deadlines?
  • Are you feeling connected with your co-workers?

Take Breaks When You Need To

Just like you are encouraged to take breaks while you’re in the office, remember to allow yourself time throughout the day for quick breaks. If you need a short break to gather your thoughts, try walking around the house or down the street, stretching, or making a snack or meal.

If you need to take a longer break, plan your time around this. Working from home has flexibility, but don’t forget to communicate with your supervisor or manager if you’re going to be away from work for longer than usual.

Be Realistic With Yourself About Long Term Work From Home Goals

For many, working from home is a temporary response to the coronavirus. Telecommuting is not meant for everyone. Talk to your manager if you are finding that working from home is causing a negative impact on your productivity or making you feel disconnected or isolated from your team.

Metropolitan Risk is partnered with ThinkHR to help you transition your business from an office to temporary remote operations. If you are looking for help in relation to your insurance coverage during the coronavirus outbreak click here to learn more. If you’re looking for more information on business continuity during the coronavirus outbreak click here. For all other questions contact a Risk Advisor at 914-357-8444.

 

For More Information on COVID-19 Click Here for Our Resource Guide