A friend of mine asked me the other day if the cyber-risk threat was a bit of flimflam designed to sell more insurance policies. When I asked him to expand on that most interesting comment he proceeded to compare cyber-risk to the Red Scare of the 1950s when families scrambled to build bomb shelters to protect them from a war that never came. The only ones who got rich back then were the contractors, he proudly concluded.
I found his question incredulous given the world we live in, not to mention his peculiar analogy. But realizing he didn’t work in the commerce stream, per se, quelled my impulse to slap him around.
So I shared with him some statistics that sobered him up quickly. I explained that cyber-crime costs the global economy over $400 billion per year, according to estimates by the Center for Strategic and International Studies; and each year over 3,000 companies in the U.S. have their systems compromised by criminals. IBM reports more than 91 million security events per year. Worse yet,
Employment Practices Liability Insurance is designed to protect businesses when it comes to discrimination against employees. Ask your agent about it today.
Title VII interpretations on LGBT issues perplex employers.
PHILADELPHIA — Courts are just as confused as employers about whether federal law prohibits discrimination based on gender identity and sexual orientation.
People believe that there are federal protections for the LGBT community nationwide that really don’t exist, Victoria Nolan, risk and benefits manager for Clean Water Services in Hillsboro, Oregon, said at the Risk & Insurance Management Society Inc.’s annual conference in Philadelphia on Tuesday.
PHILADELPHIA — Coming soon to a workers compensation claim near you: medical marijuana.
That was the message to a roomful of risk managers at a session Tuesday on medical marijuana at the Risk & Insurance Management Society Inc.’s annual conference in Philadelphia.
As of this month, 29 states and Washington now permit the use of medical marijuana — more than half the country.
In a Social Media World, Are You Covered for Libel?
It is widely thought that a homeowner's insurance policy covers only incidents that physically occur in the home, which is partially correct. In fact, coverage can go beyond the home and can insure you for a personal injury claim, if the right conditions are in place. One may think of the term "personal injury" as requiring a physical injury suffered by another party. While a liability policy will likely apply to an incident of physical injury, personal injury is a broader concept. In the insurance world, personal injury can include harm caused by false arrest, detention, or imprisonment; malicious prosecution; wrongful eviction; slander; libel; and invasion of privacy. Basically, a personal injury policy can protect a homeowner and others covered under the policy against a claim for almost every injury that someone can experience without suffering any actual physical harm.
Given this broader definition of personal injury, would your policy cover a claim for accidentally saying something personally harmful on social media? It depends. Here are the most likely scenarios of what you may have:
Are your Workers Employees or Independent Contractors?
The United States Department of Labor and the Internal Revenue Service have combined their efforts to help various states share resources and information that will expose worker classification violations. Employers found to be in violation could face paying back taxes, back pay to workers, missed overtime, retroactive benefits, interest, fines, staff effort charges and legal fees. With situations where there are multiple violations or willful negative intent, the penalties and fines are worse. In addition to the money a violation would cost, employers would also face the negative effects of this damaging information being made available to the public.
The IRS has made it clear that it is not easy to classify independent contractors and employees. Every case they evaluate is different based on a wide variety of factors. To start, employers may think about whether they have control over a worker's performance and work outcomes. This is not based on whether an employer decides to exercise control. It is a matter of whether the employer actually has the legal ability to control the workers in these areas. The IRS has a set of rules called the Common Law Rules, which cover the categories of financial control, behavioral control and relationship classifications. None of these factors are individually decisive. The entire situation must be evaluated to make an accurate determination. In addition to these evaluations, employers may take the Economic Reality test from the Department of Labor. This test is based on the Fair Labor Standards Act and includes six factors that are similar to those used by the IRS.
One of the best ways to show that a worker is not an employee but an independent contractor is to show proof of that individual's ownership of a business. In addition to this, employers can show proof that the worker's tasks are not an integral part of the employer's business. Workers who are free to be hired by others or who perform freelance work are not considered employees. For every independent contractor used, businesses should keep vendor folders on file. The following paragraphs outline what information should be included in each file.
Every independent contractor should complete a W-9. This is necessary for creating a 1099 tax document. If the individual does not claim exemption, employers should withhold taxes. For current tax withholding percentage information, discuss the topic with an agent. However, independent contractors should be encouraged to check the box and file their own self-employment taxes.
Keep every invoice the contractor submits. Payment should be made based on these documents. If a worker is not an employee, he or she should not submit expense reports. Since mileage and equipment are a contractor's business expenses, contractors should not bill for these items. Make sure all invoices match 1099 forms, which must be sent to the independent contractor after the end of the year.
Proof Of Separate Business
If an independent contractor has his or her own business, keep any items that reflect proof of this. Business stationery, advertisements, brochures, business cards or any similar items are acceptable. For contractors who have their own sites on the Internet, it is important to print copies of any online pages where services are outlined.
It is important to have a written contract for every independent worker. This document should clearly state the nature of the relationship between the business and the worker. In addition to this, the project's details should be outlined. A contract should include what the business expects from the contractor, the payment terms and any deadlines. Make sure the document is dated and signed by both parties. If a contractor has a tax identification number, this should be included. New contracts should be created for each project when the same contractor is hired for multiple projects.
Before classifying a worker as an independent contractor, it is important for a business owner to do his or her homework carefully. Employment laws today are very strict, so discuss any concerns with an agent.
Your Insurance Place
5450 Thornwood Dr. Suite O
San Jose, CA 95123
Sometimes the penalty for misleading your Workers Comp carrier is more than just increased premium due to an audit.
Hyok Kwon, owner of Good Neighbor Services, a janitorial company that provided services to some of San Diego’s most exclusive hotels and resorts, has pleaded yesterday to seven felonies, including premium and employment tax fraud.
Kwon was convicted of creating an elaborate scheme to avoid paying workers’ compensation insurance premiums and employment taxes. Kwon stipulated to an eight-year prison sentence and to pay restitution exceeding $5 million.
Woo Hui Kwon pleaded guilty on Dec. 6, 2016 to two counts of premium fraud and two counts of employment tax fraud. She was sentenced to four years and eight months, and restitution that totaled over $5 million to insurance carriers and Employment Development Department.
The janitorial company provided cleaning staff to major hotels across San Diego, Los Angeles and Riverside Counties, including The Hotel Del Coronado, Loews Coronado, La Costa Resort and Spa, The Grand Del Marin La Jolla, L’Auberge Del Mar, The Ritz Carlton, Four Seasons, Hilton and Hyatt hotel chains.
Reports released last week by U.S. security officials and private cybersecurity researchers suggest hacking of energy facility computers is on the rise, and happens far more often than the public assumes.
The Department of Homeland Security said it received reports of 59 cyber incidents at energy facilities last year, up nearly a third from the year before.
The agency responsible for protecting the nation from cybercrime said it worked to mitigate 290 incidents last year across more than a dozen industries that rely on computer controls to run industrial sites, including manufacturing sites, power generation facilities, refineries, chemical plants and nuclear facilities.
It found more than a quarter of these intrusions originated from so-called spear phishing emails that hackers use to trick people into downloading infected attachments or clicking on virus-laden links. More than one in 10 came from network probing and scanning.
"Every year, adversaries develop increasingly sophisticated attacks against control system networks," Homeland Security's Industrial Control Systems Cyber Emergency Response Team said.
The increased number of intrusions into energy computer controls last year brings the number of such incidents in the industry to more than 400 since 2011, Homeland Security data show. Security specialists say that's likely a conservative number because energy companies aren't required to report cyberattacks to the U.S. government.
In another report, cybersecurity researchers believe computer controls at industrial facilities, including in the oil business, get infected by non-targeted malware at least 3,000 times a year.
Dragos Security, a cybersecurity firm in San Antonio, arrived at what it believes is a conservative estimate of worldwide industrial cyberattacks after studying 30,000 samples of infected control system files submitted over the past decade and a half to a publicly available database called VirusTotal, a web service owned by Google.
The findings show malware that isn't even tailored to industrial controls finds its way into critical technology far more often than the public assumes. Some of the malware can spread through these systems with ease, and some were designed many years ago.
"If you have really bad cyber hygiene and you're not paying attention to basic things, you're more likely to get impacted by a virus that was written nine years ago," said Ben Miller of Dragos.
For example, Miller found thousands of industrial files compromised by Sinowal, a Trojan horse first discovered in 2006. Even more common, though, were strains of malware that spread from computer to computer, created at least five years ago.
It's not clear how many of these industrial facilities were tied to the energy industry, because the VirusTotal data only provided the country of origin of the independently uploaded files. But it's yet another grim revelation for oil companies that rely on automated computer controls to run refineries, pipelines and offshore platforms.
Miller said these breaches could begin during the equipment upgrades that happen when power plants, refineries and other energy facilities are taken offline for repairs.
Crews of engineers, equipment contractors and information technology specialists flowing in and out of the facilities could, for example, fail to follow security protocols and accidentally plug in infected USB drives into facility systems. And they might only discover they've infected operational computers after they use the same thumb drives in corporate computers outfitted with antivirus alert systems, Miller said.
Due to the legality of recreational marijuana in California, some employers worry about how it affects the workplace. Will your employees come to work high? Are you required to turn a blind eye?
The truth is that California employers are not required to allow employees to use marijuana. Lawmakers are pushing to create legal limits for marijuana impairment in the same manner as alcohol. And although research is still ongoing for developing tools to accurately determine impairment due to marijuana, clearly-written policies that have been approved by an attorney will still help protect employers.
Understanding the hazards of impairment while performing many job duties, an employer’s handbook should include clear rules and punishments for violating company substance abuse policies. Businesses whose employees operate heavy equipment, including vehicles, should be even more sure that the proper precautions are set in place. Most insurers will require that driving records are checked periodically, and some may even require drug testing and background checks. If you suspect impairment but do not have a program to test impairment, keep the employee from operating a motor vehicle or heavy equipment.
Follow this link for a packet from one of our carriers that will help you establish a Drug-Free Workplace Program if you don’t have one in place.
Zeke Corley has been a licensed insurance broker since 2003. You can email him at firstname.lastname@example.org or call him at the San Diego office at (858) 569-8100. Visit our agency online at www.yourinsuranceplace.com.
The Hiscox Report on Cyber readiness surveyed executives and IT specialists at the end of 2016. It is the most comprehensive report on Cyber readiness I’ve seen thus far. It delves into types of businesses most affected, the businesses most prepared for an attack, and which businesses seem to be taking the risk less seriously.
Many questions are asked, including:
· How often do these attacks actually happen?
· What is the average financial loss?
· How long does it take to get back to business as usual?
72% of larger businesses reported a cyber incident last year, while 47% of those experienced 2 or more in the same year. For firms with 99 or fewer employees, the average estimated cost of an organization’s largest cyber incidents in the last 12 months was just over $35,000. For the largest firms, that figure is just over $100,000. The study shows that larger firms may suffer the bigger financial losses, but smaller companies suffer the most damage due to complacency. Although the information and resources are available to them, 29% of small businesses surveyed make no changes following an attack.
The study finds that the 2 industries most targeted are:
1. Transportation & Distribution (65%)
2. Technology, media, & telecommunications (59%)
Of course this should not put other business types at such ease that they don’t take the necessary precautions. Attacks happen everyday. Will your business suffer a loss before you put a policy in place? More than a third (37%) of businesses surveyed took two or more days to realize they had been breached. This is an eternity for a hacker to gather crucial information from your business, clientele, and associates. Once the damage is done, the cost to get back to business as usual isn’t only measured in dollar signs, but in time.
After an attack, some businesses can take another two days to recover back to business as usual. And that doesn’t include the time for ongoing investigation and notification of those affected. Being unprepared for an attack can make the loss even more costly due to:
· Business disruption
· Fines & compensation
· Compromised identity of clientele
· Asset recovery
· Brand damage (negative publicity, bad reputation)
Leaving businesses open to attack can leave your business open to a lost reputation and forever-damaged client relationships.
The most common ways that attacks occur are:
1. External attack targeting the organization
2. External attack targeting business partners or suppliers
3. Internal incident or threat
4. Lost or stolen devices
Businesses most likely to be informed about the cyber risks are multi-national companies, technology companies, and those that specialize in financial services. Companies with less than 100 employees are least likely to be proactive. And even companies with IT departments tend to ignore the warnings of their IT personnel.
Companies with less successful breaches of their cyber security are consistent on a couple points:
1. Involving higher management
2. Training employees
Involve broad and executive management in setting a cyber security strategy. The study shows that 45% of the time, businesses entrust their cyber security to their IT department, and aren’t kept in the loop regarding security upgrades, needs, or potential threats. On the importance of employee training, the Hiscox report states “The human element in cyber breaches is enormous, and a modest investment in employee training can have a big impact on cyber readiness.” Employee training and system tracking and documentation are as important as taking out a Cyber insurance policy.
Cyber Liability insurance is one of the fastest growing areas of insurance worldwide. Businesses are taking out policies more often due to contractual requirements, the clear cost of damage, and increasing high profile data breaches worldwide. Many businesses believe, yet may not have verified, that they are somehow already covered by their current General Liability insurance policy. Those who haven’t been assured of coverage should contact their insurance agent ASAP. Network One Insurance is very well versed in this coverage and we would be happy to speak to your business about your Cyber Liability insurance needs. Although some insurers do offer a small amount of coverage included in their policy, many only have it as an optional coverage, and others would require businesses to acquire a standalone Cyber Liability policy.
*Three countries were included in this survey, but only figures pertaining to the U.S. were used in this article. The survey was conducted between November 16, 2016- December 5, 2016. You can see Hiscox’s Cyber Readiness Report in full here.
Zeke Corley has been a licensed insurance broker since 2003. You can email him at email@example.com or call him at the San Diego office at (858) 569-8100. Visit our agency at http://www.yourinsuranceplace.com/
Welcome to our new insurance agency blog!
This is our very first post. We're not quite sure what we're going to write about here, but the plan is to create helpful content for customers and prospective clients about information that is relevant to you.
We hope you'll come to view this as a top resource for keeping your family and your finances safe.
Here are a few of the topics we may be writing about: