Cyber Risks and Liabilities

Ransomware Considerations for Board Members

Organizations of all sizes and sectors are facing increased cybersecurity risks. Specifically, ransomware attacks—which leverage malware to compromise a victim’s data and demand them to make a large payment to recover it—have quickly become a rising threat across industry lines. In fact, recent research found that these types of attacks have surged by 150% in the past year alone, with the average amount paid by victims jumping by over 300%. Such attacks have also become more sophisticated over the years as cybercriminals have developed a wide range of different ransomware-use techniques.

In light of these advancing cyber concerns, it’s important for board members to be actively involved in developing and promoting effective workplace cybersecurity measures—especially as it pertains to ransomware attacks. By involving senior leadership in such initiatives, organizations can foster a culture of cybersecurity awareness and bolster their preparedness against cyber threats. Here are five key questions that board members should discuss to help their organizations stay resilient against ransomware attacks.

How can our organization better detect ransomware threats?

Before a ransomware attack can occur, a cybercriminal has to gain access to their target’s network, systems or data. Once a cybercriminal gains this access, an extended length of time—also known as “dwell time”—typically passes before the ransomware is deployed and the attack actually begins.

With this in mind, organizations that are able to detect potential ransomware threats during dwell time rather than at the onset of an attack can stop such incidents before they even start. The following measures can help board members ensure the earliest possible detection of ransomware concerns within their organizations:

  • Keep updated records of all workplace technology to understand where ransomware threats could arise.
  • Equip all workplace technology with antivirus and malware detection software. Update this software regularly.
  • Have critical technology, systems and data consistently monitored for suspicious activity. Make sure the employees in charge of these monitoring procedures are properly trained to do so.
  • Establish thresholds for when employees should notify senior leadership of ransomware threats.
  • Provide all employees with clear ransomware reporting protocols.

What can our organization do to minimize the damages in the event of a ransomware attack?

When ransomware attacks occur, it’s vital for impacted organizations to do everything they can to limit the damages. In particular, board members should prioritize these procedures:

  • Keep data encrypted. This practice will make it significantly harder for cybercriminals to compromise data during a ransomware attack.
  • Restrict employee access to workplace technology, systems and data. Only allow access on an as-needed basis.
  • Require employees to use proper credentials and multifactor authentication when accessing workplace technology, systems and data.
  • Consider keeping different workplace networks separated to prevent cybercriminals from gaining full access after attacking a single network.

Does our organization have an effective cyber incident response plan in place?

Cyber incident response plans are one of the best tools for helping organizations react appropriately and mitigate losses amid cyberattacks. Board members should work closely with workplace leaders across departments to develop sufficient cyber incident response plans for their organizations. Generally speaking, an effective cyber incident response plan should outline:

  • Who is part of the cyber incident response team (e.g., board members, department leaders, IT professionals, legal experts and HR specialists)
  • What roles and responsibilities each member of the cyber incident response team must uphold during an attack
  • What the organization’s key functions are and how these operations will continue throughout an attack
  • How any critical workplace decisions will be made during an attack
  • When and how stakeholders should be informed of an attack (e.g., employees, customers, shareholders and suppliers)
  • What federal, state and local regulations the organization must follow when responding to an attack (e.g., incident reporting protocols)
  • When and how the organization should seek assistance from additional parties to help recover from an attack (e.g., law enforcement and insurance professionals)
  • Take note that cyber incident response plans should be evaluated and updated regularly to ensure effectiveness. Various activities can be implemented to assess cyber incident response plans—including tabletop exercises and penetration testing.

Does our organization’s cyber incident response plan adequately address ransomware attacks?

Cyber incident response plans should address a wide range of possible attack circumstances. That being said, it’s important for board members to ensure that ransomware attack scenarios are properly accounted for within their cyber incident response plans.

Specifically, board members must determine whether or not their organizations will make ransom payments to cybercriminals—particularly when the compromised data is sensitive in nature or critical to operations. Keep in mind that cybersecurity experts typically advise against complying with ransom demands, seeing as there is a chance that cybercriminals could take the ransom money and not recover the compromised data or leverage it in future attacks.

Further, board members must ensure their organizations are prepared for the lengthy recovery process that often accompanies ransomware attacks. In some cases, it can take several weeks or months to recover compromised data. During this time, board members must have plans for keeping their organizations functional and minimizing reputational damages.

Are all data backup protocols within our organization sufficient in protecting against ransomware threats?

Backing up important data can help organizations maintain access to key files and information during cyber incidents. However, poor data backup protocols can easily be exploited by cybercriminals, subsequently resulting in ransomware attacks. As a result, board members should ensure their organizations follow these data backup security procedures:

  • Conduct data backups on a routine schedule. Consider backing up critical data more frequently.
  • Store data backups offline and in a separate location from other workplace systems and networks.
  • Only allow trusted and qualified employees to perform data backups.

For more risk management guidance, contact us today.

Business Interruption Insurance 101: During the Pandemic and Beyond

More than a year into the COVID-19 pandemic, businesses have gotten used to a “new normal.” But with new waves of the virus surging and wide-spread distribution of a vaccine still to come, small businesses need to know how to manage their risks.

We’ve shared the top questions you need to ask your insurance broker during the worsening pandemic. We also know that one of the biggest questions on business owners’ minds is about business interruption.

If your business has to shut down during the latest wave of the pandemic, do you know if you’re covered by your insurance policy? Even if you have business interruption insurance, you probably are not covered.

Read on to learn what business interruption insurance is, what it covers, and whether the pandemic will have any long-term effect on these policies moving forward.

What is business interruption insurance?

Business interruption insurance is a policy that helps businesses recoup income lost when operations are halted due to direct physical loss or damage. While not usually sold as a stand alone coverage, business interruption insurance is often included as an add-on to a comprehensive business owner’s policy or a commercial property insurance policy.

Looking for commercial insurance? Speak with a Cleary Insurance representative to make sure your business’s unique challenges and risks are covered.

What events are covered?

Business interruption insurance applies after covered events that result in physical damage to business property, thereby preventing operations from running as usual. Examples of covered events include:

  • Fire
  • Natural disasters, like tornadoes and hurricanes
  • Wind
  • Lightning
  • Vandalism or damage from riots

However, not all catastrophes are covered by business interruption insurance. Exceptions include:

  • Floods and earthquakes. These are typically covered under a separate policy.
  • Policies have exclusions for losses due to viruses or communicable diseases, as these do not cause direct physical damage.

What types of losses are covered?

Business interruption insurance typically covers the following expenses:

  • Operating expenses, including mortgage, rent, or lease payments
  • Moving to a temporary location & reasonable expenses to keep the business operating
  • Payroll
  • Taxes
  • Loan payments
  • Profits that would have been earned, based on documented pre-loss earnings. If you can’t prove you would have earned that income, you cannot submit a claim against it.
  • Replacing machinery and retraining employees

Please also note that claims are only paid out if the insured business actually sustains a loss as result of the business interruption.

How long does coverage last?

Business interruption insurance coverage lasts until the end of the business interruption period, as specified in your policy. The standard policy limits the restoration period to 30 days, but this can often be extended up to 1 year by endorsement.

How much does business interruption insurance cost?

Business interruption insurance average cost varies based on factors like:

  • Industry
  • Number of employees
  • Amount of coverage
  • Prior claims
  • Location

When calculating the cost for your business, keep in mind that business interruption insurance premiums are tax-deductible.

How much coverage do you need?

We recommend that you choose a coverage limit appropriate for your business, based on factors like how long it would take your business to resume operations following a loss.

Work back from the worst-case scenario – how long would it take you to repair the physical damage, get new equipment, and retrain staff? Keep in mind that if your costs exceed your coverage limit, you will have to pay out of pocket for extra expenses.

At Cleary Insurance, we work with business owners to help them get the right amount of coverage based on their specific business risks, earnings, and projections. If you’re unsure what that looks like for your business, we can help.

Protect Your Business in a Worsening Pandemic: 3 Things You Need to Know

Over the past year, COVID-19 has totally transformed the way that businesses operate. We’ve weathered the initial storm of uncertainty and ushered in a new normal for risk management. But as the pandemic continues to evolve in 2021, many small business owners are still unsure of the implications for their insurance policies.

You probably have a lot of questions. Are you covered? What happens if you’re not?

To help you navigate this unprecedented landscape, we’re sharing the top three things business owners need to know right now to protect their business.

3 things you need to know about business insurance during the pandemic

 

1. Know That You May Not Be Covered

Don’t assume that your current insurance policy covers all of the possible scenarios that you’re facing today. Some disasters, namely pandemics, are not covered by business interruption insurance. (Learn why this is actually a good thing for policy holders.)

Other types of risks might be newly relevant for your business. Even if there are policies that can cover them, you may not have opted to purchase those policies when they were less likely to affect you. Keep reading for our recommendations on which policies to ask your provider about.

 

2. Know the Three Levels of Risk Mitigation

Even during the best of times, operating a business means taking on risk. Running a business during a global pandemic comes with even more risk. Your insurance provider’s job is to help you assess those risks and mitigate them.

When assessing risk, think about bucketing them into three categories:

  1. Risks from third parties: Movers, cleaners, meeting planners, and many other vendors all expose your business to risk. Make sure that they have proper insurance, and in many instances, name your company as “additionally insured” on their
  2. Risks that don’t require coverage: You might be surprised to hear an insurance provider tell you not to get a policy, but we believe that businesses should only pay for the coverage they need. Take a closer look at these three policies to see if they’re necessary for your company or not.
  3. Risks that require coverage: This is the bulk of risk inherent in doing business. But think beyond simple liability insurance.  Consider other exposures, such as mistakes (errors and omissions) and an umbrella policy to better cover all your liabilities.  More on this below.

 

3. How Can I Get Covered?

Take these questions to your insurance broker and find out if you’re covered. If your current policy doesn’t cover you, they can help you identify the best way to mitigate your risk.

Business Interruption Insurance

If your business needs to shut down at any point during the pandemic, you need to know what is and isn’t covered by your insurance policies.

  • Do you have business interruption insurance?
  • If you do, do you know what is included? Keep in mind that you most likely will not be covered for pandemic-related losses. For a refresher on what is typically covered by these policies, check out our recent blog on business interruption insurance 101.

If you don’t have business interruption insurance, consider getting it. Fires and floods are much more likely to happen than another pandemic, so it’s wise to be prepared for these more commonplace disasters.

General Liability

When you originally set up your general liability policies, your business’s operations likely looked very different than they do today. We recommend taking another look at your business liability insurance to ensure it covers the risks you’re experiencing today.

  • Do your general liability and workers compensation policies cover employees when they’re working from their homes?
  • Are you taking on any extra cybersecurity risks when your employees are conducting business online, on their home wifi networks?

Health Claims

The pandemic is first and foremost a health crisis, so your employees’ health should be top of mind. Take a closer look at your health insurance policies and make sure to address the following questions:

  • Do you have short term / long term disability insurance? Does it adequately cover your employees’ welfare? Does it reduce risks and costs for the business?
  • If your employees test positive for COVID-19 and need to take sick leave, is that covered under your current policy?
  • If COVID-related leave is not covered, what sort of risks will you be taking on? What will it cost you? Are you at risk for lawsuits?

Errors and Omissions

Errors and omissions policies are a type of professional liability insurance that protects your business against lawsuits for negligence or mistakes in client work. With employees working from home instead of the office, many of the oversights against mistakes may be harder to administer. It’s best to take the extra step and mitigate this risk.

  • Do you have an errors and omissions policy?
  • Does it cover you when employees are working remotely?
  • What kind of mistakes are covered? What is unique to your business?

Umbrella Policy

Commercial umbrella insurance policies supplement your other liability coverage. If you go over your coverage limit, your umbrella insurance policy will kick in to make up the difference. Having this extra layer of coverage can protect you from large lawsuits or scenarios where multiple claims exhaust your base policy’s limits.

  • Do you have an umbrella policy?
  • What is included in the umbrella policy? What is excluded?
  • What is your umbrella limit? Are you carrying the right amount of coverage?

 

Cleary Insurance is committed to helping small businesses identify, offload, and mitigate risks. If you’d like to speak with a representative, we can help you find exactly the right level of commercial insurance coverage for your business needs during the pandemic and beyond.

Protecting Your Valuable Articles

It is beginning to look a lot like…

Diamonds, art, and shiny new golf clubs! We hope you had a safe and happy holiday season.  Post-holiday season is a great time to consider coverage for your shiny new ring, a beautiful new piece of artwork, your new DSLR camera, Callaway golf clubs, or Steinway grand piano.  Whatever your loved one gifted you this season, what would you do if an item was lost, stolen, or broken?  Look to your homeowner’s insurance, right?

Yes! BUT you might not get what you expect.  Most standard home policies have a special limit of $1,500 on valuable personal property and do not include coverage if lost or broken. When a stone falls out of your significant other’s ring, or when your new DSLR camera gets broken you may not have adequate coverage.

No need to fear, Cleary is here!

We suggest insuring these items separately to avoid unexpected replacement expenses and a whole bunch of headaches.  Scheduling your valuable items provides coverage for mysterious disappearance and breakage that you cannot find on a standard home insurance policy. The value of your items will be settled on a pre-determined limit so you will know what to expect which helps to ensure a hassle-free claims experience!  Not to mention you will also save your deductible!  Let us help you purchase peace of mind today and give us a call!

Preventing Frozen Pipes for Business

Cold temperatures can reach areas of your facility that you seldom visit or cannot see, such as:

  • Crawl spaces
  • Closets
  • Enclosed spaces (e.g., attics, lofts, roof spaces)
  • Warehouses
  • Isolated storage areas

Strategies to Help Prevent Frozen Pipes

Some prevention strategies to consider:

  • Properly insulate and/or provide approved heat tracing for water-filled pipes located in exterior walls or unheated spaces.
  • Drain any piping that is not required during the winter months.
  • Maintain a minimum temperature of 40° F (4.4° C) in building areas with processes susceptible to freezing, wet-pipe sprinkler systems, fire pump houses and dry-pipe valve enclosures.
  • Ensure that anti-freeze sprinkler systems have sufficient concentration (appropriate specific gravity readings) of antifreeze to withstand freezing weather.
  • Inspect dry systems to help ensure air settings are correct, air maintenance systems are in good operating condition, and any pipe closets are well insulated. If any heat tape or heating systems are being used, ensure that they are UL-listed for this specific purpose and are in good operating condition. Dry-pipe sprinkler systems low points and auxiliary drains should be opened and drained of any water or condensation.
  • Any branch lines on wet sprinkler systems exposed or subject to extreme cold weather should be insulated and heat traced. Electric heat tracing products should be UL-listed for this specific purpose.
  • Fire pump test headers should be checked to ensure they have been properly drained.
  • Fire pump and dry-pipe sprinkler system equipment rooms should be checked routinely to ensure the heaters are in good operating condition.
  • The use of low temperature supervision can help to ensure rooms are being properly heated.

 

https://www.travelers.com/resources/facilities-management/preventing-frozen-pipes-for-businesses

Tips for Workers’ Compensation Policyholders During COVID-19

Presented by: Acadia Insurance

The COVID-19 pandemic has caused many businesses to adjust or reduce their operations.  Workers may have transitioned to working from home, having reduced hours, have been furloughed – some with or without pay, or have been laid off.

With this upheaval, it is important to maintain accurate payroll records to ensure you are charged appropriate premium for your Workers’ Compensation coverage. Workers’ Compensation policies are audited at the end of each policy term, and premiums will be adjusted based on your employee payroll and type of work performed over the course of the year.

In particular, make sure your records account for the following:

  • Any changes in payroll, including a reduction in staff or reduction in hours
  • If you have furloughed employees with pay during the business disruption, make sure to keep separate payroll records for these employees for the time they continue to be paid and are not working for you. Furloughed payroll will have a reduced or zero rate when used in the calculation of Workers’ Compensation premium, depending on state Workers’ Compensation rules.
  • If you have furloughed workers within the state of Massachusetts, Massachusetts has the additional requirement below:
    An employer who is making payments to paid furloughed workers must provide to their workers’ compensation carrier, within the later of 60 days of approval date of this rule or 25 days after the employer begins making payments to paid furloughed workers, a list of all paid furloughed employees, which shall also include the employee’s normal workers’ compensation classification, weekly wage, furloughed date, and anticipated date of return to work.

Tips for a Change in Operations
Many businesses are not able to run their typical operations because of states’ response to COVID-19 and, instead of closing, they may adapt their operations so they can maintain a flow of income. Other businesses have changed their operations to help respond to the pandemic by providing essential products. For example, many distillers have adjusted their operations to not only distill spirits but also to manufacture hand sanitizer to help with the shortage. If your business has had a material change in operations during COVID-19:

  • Contact your insurance agent to see if this change in operations could impact your how your Workers’ Compensation policy is priced.
  • Note changes in roles of your employees as part of your payroll reporting as they may be assigned to a different class code. Are employees engaging in work that is materially different from their prior role?

Maintain Workers’ Compensation Coverage
If you’ve had to make the difficult decision to lay off all employees during this time, it is important to maintain Workers’ Compensation coverage so you are protected when your business resumes operations. Maintaining accurate payroll records will ensure your premiums reflect your reduced business operations and staff during this period. More importantly, if you cancel your policy, you may find purchasing a new policy difficult or more costly when you resume operations as insurance carriers evaluate new customers on several factors, including whether the business has had continuous prior coverage in place.

Your insurance agent is an important professional resource who can help ensure your insurance keeps up with your business during this disruptive time. For more resources about managing your business during COVID-19, visit Acadia’s dedicated resource page https://www.acadiainsurance.com/coronavirus-covid-19/

Workers Compensation and COVID-19 Related Furlough Payments:

The Massachusetts Division of Insurance recently approved a new classification that will exempt COVID 19 related furlough payments to employees from Workers Compensation payroll. This means that furlough payments will not count as payroll when used to determine Workers Compensation premium. There are some very specific qualifiers for this program:

  1. The insurance carrier needs to be notified immediately if you intend to request that furlough payments be exempt from Workers Compensation payroll. We can assist you with this process. This new rule was approved on July 17th and insurance carriers need to be notified within 60 days of that date.
  2. Employers must have records listing furloughed employees, their normal Workers Compensation classification, weekly wage, furlough date and anticipated return.
  3. Furlough payments made between March 1st and December 30th are eligible. The program expires as of December 31st 2020.

Many other states have adopted similar provisions to exempt furlough payments from Workers Compensation payroll. Please contact your representative immediately if you believe that your policy will qualify for this program.

Business Interruption Insurance and COVID-19

The COVID-19 pandemic and the various measures designed to contain its’ spread has had an unprecedented impact on the business community.  Many businesses, such as those in the hospitality sector, have had to cease or drastically curtail operations with uncertain prospects for a restart.  Not-for-profit organizations are seeing fewer donations at a time when many are seeing a higher demand in services due to the human toll of social isolation.  Businesses on the other end of the spectrum that have been able to continue uninterrupted are certain to be impacted in the future due to the economic slowdown.  Suffice it to say that the vast majority of organizations have had some level of negative impact in the past two months that will continue in the near future.

 

Business Interruption insurance has been a frequent topic in recent weeks as a possible avenue for organizations to recover lost profit and pay for continuing expenses.  There have been a number of high-profile lawsuits against insurance companies for denying these claims.  A recent and local example is the lawsuit by Legal Seafoods against their insurance carrier for a claim denial. Insurance policies vary in the scope and range of coverages so it is impossible to state that all of these types of claims should be covered or denied.  However, we believe that the majority of these claims face difficult prospects for recovery.

 

Business Interruption (also known as Business Income) is a coverage commonly found on commercial property insurance policies.  In some cases, there is a specified limit while other types of policies designed for smaller businesses are written on an “actual loss sustained” basis for a 12-month period.  The coverage is designed to allow a business to recover continuing expenses (payroll, rent, leases, taxes, etc.) and lost profit when it sustains a covered property loss that results in a shut down or curtailment operations.  An additional component called Extra Expense is often included with Business Interruption.  Extra Expense addresses the additional costs a business sustains over and above normal operating expenses that are required to expedite recovery.  A shut down required by “Civil Authority” is a common feature that can extend coverage when a municipality mandates that a business close due to some form of physical damage in the nearby proximity (i.e. gas main explosion).  In all cases the coverage trigger is a covered property loss such as fire, wind, vandalism, or collapse.

 

There are several challenges for Business Interruption claimants but two of them stand out.  The business closures or curtailments have been primarily due to government mandates designed to minimize or slow the spread of a virus.  In most cases there was no physical damage or direct contamination requiring the business closure.  Secondly, most policies contain a specific exclusion for a virus.  Exclusions for communicable diseases and viruses were almost universally added starting in 2006 as a result of SARS and have been reinforced by other outbreaks such as H1N1 and Zika.  The primary reason for these types of exclusions is that an event or series of related events impacting millions of individuals and businesses throughout the country at the same time period is “uninsurable”.   It is estimated that the monthly impact for COVID-19 is in the $250 to $350 billion range.  By comparison, the aggregate insured loss from natural disasters was $52 billion in 2018 for the full year.

 

Legislation has been introduced in a number of states, including Massachusetts, designed to compel the insurance industry to pay for Business Interruption losses due to the COVID-19 related shut downs.  These legislative actions will be contested on constitutional grounds that will likely draw out for years.  Perhaps a solution can be developed that is similar to how Congress and the insurance industry responded to the September 11th attack.  From purely an insurance point of view, the attack on September 11th was an unforeseen tragedy that generated more than $40 billion in losses in addition to the human toll.  Human and economic losses continue with high levels of cancers for first responders that worked on recovery at World Trade Center.  Congress and the insurance industry developed the Terrorism Risk Insurance Act that allowed insurance companies to absorb the initial $200 million in claims associated for a single terrorist event with the Federal government taking on the excess.

 

We have spoken with many of you over the past few weeks regarding this issue.  We encourage any of you with questions on this issue to reach out to us.  Some of you have decided to file claims and we are certainly willing to discuss and assist others that might be contemplating the same action.  Situations are unique and policy conditions can differ.  We wish all of you a speedy recovery from the recent events and, above all, good health.

Department of Family and Medical Leave – Update

The Department of Revenue recently released important information on how to report PFML Wages for the 4th Quarter 2019 Paid Family and Medical Leave Return. The Department of Family and Medical Leave is providing this update for all employers participating in the Commonwealth’s PFML program to ensure an accurate filing of withholdings by the quarterly deadline of January 31, 2020.

PLEASE BE AWARE THAT THIS REPORTING REQUIREMENT DOES NOT APPLY TO EMPLOYERS THAT HAVE RECEIVED AN EXEMPTION FROM BOTH THE FAMILY AND MEDICAL LEAVE PROGRAMS OR ARE CONSIDERED EXCLUDED EMPLOYMENT PER SECTION 6 OF THE UNEMPLOYMENT STATUTE.

IF YOU HAVE ONLY RECEIVED AN EXEMPTION FOR ONE LEAVE PLAN, YOU MUST SUBMIT FOR THE NON-EXEMPTED PLAN, ACCORDING TO THE INFORMATION PROVIDED BELOW.


When reporting 2019 PFML contributions, please report fourth quarter wages only in both the PFM Eligible YTD Wages and Wages This Quarter boxes on the MassTaxConnect return. For the calculation to be correct, do not report actual 2019 year-to-date wages in the PFM Eligible YTD Wages box.

The reason for reporting only fourth quarter earnings in the PFM Eligible YTD Wages box is that contributions were not withheld for the first three quarters of 2019, so the Social Security annual wage cap should only be applied against fourth quarter wages.

This will only be necessary for this first PFML reporting as contributions were not withheld on all 2019 wages.  When submitting future returns, you will report the actual YTD wages in the appropriate box.


IF YOU HAVE BOTH W-2 EMPLOYEES AND INDEPENDENT CONTRACTORS, BUT YOU OUTSOURCE ONLY W-2 PAYROLL SERVICES TO A THIRD PARTY
Important information about the timing of reporting

If your company outsources only W-2 payroll services to a third party, and handles reporting for your independent contractors (whose payments are reported on 1099-MISC) internally, there are some rules to follow when filing returns. It’s very important that the reporting be done in a specific sequence for it to be processed correctly.

First, the payroll service, filing on behalf of your salaried employees (W-2s), must file before you file on behalf of your “covered contract workers” (1099-MISCs covered under the PFML Statute). Next, when you file on behalf of your covered contract workers, you must identify your filing as an amendment to the return already filed by your payroll service (see screenshot below). Please follow this sequence to be certain the information is properly recorded.

 

MORE INFORMATION

The Department of Family and Medical Leave oversees the Commonwealth’s Paid Family and Medical Leave program. Check out their website for a fact sheet, guides and information for both employers and workers.

You will find more information on exemption requests, registration, contributions, and payments for the Paid Family and Medical Leave program from the Department of Revenue.