If your customers are located within the European Union or European Economic Area, it is critical to understand this regulation. US businesses’ are required to comply with this regulation if they control or process the personal data of individuals within the EU or EEA.
As technology becomes increasingly important for successful business operations, the value of a strong cyber liability insurance policy continues to grow. The continued rise in the amount of information stored and transferred electronically has resulted in a remarkable increase in the potential exposures facing businesses.
In an age where a stolen laptop or data breach can instantly compromise the personal data of thousands of customers, protecting your business from cyber liability is just as important as some of the more traditional exposures businesses account for in their commercial general liability policies.
Claims Scenario: Outsourcing Gone Wrong
The company: A national construction company that outsources some of its cyber security protections
The challenge: A construction firm partnered with a third-party cloud service provider in order to store customer information. While this service helped the company save on server costs, the third-party firm suffered a data breach.
As a result, the construction firm had to notify 10,000 of its customers and was forced to pay nearly $200,000 in incident investigation costs. The incident was made worse by the fact that the firm did not have a document retention procedure, which complicated the incident response process.
Cyber liability insurance in action: Following a data breach or other cyber event, the right policy can help organizations recoup a number of key costs. Specifically, cyber liability policies often cover investigation and forensics expenses—expenses that can easily bankrupt smaller firms who forgo coverage.
What’s more, when third parties are involved, managing litigation concerns can be a challenge. By using cyber liability insurance, organizations have access to legal professionals well-versed in cyber lawsuits and response.
Benefits of Cyber Liability Insurance
- Data breach coverage—In the event of a breach, organizations are required by law to notify affected parties. This can add to overall data breach costs, particularly as they relate to security fixes, identity theft protection for those impacted by the breach and protection from possible legal action. Cyber liability policies include coverage for these exposures, thus safeguarding your data from cyber criminals.
- Business interruption loss reimbursement—A cyber attack can lead to an IT failure that disrupts business operations, costing your organization both time and money. Cyber liability policies may cover your loss of income during these interruptions. What’s more, increased costs to your business operations in the aftermath of a cyber attack may also be covered.
- Cyber extortion defence—Ransomware and similar malicious software are designed to steal and withhold key data from organizations until a steep fee is paid. As these types of attacks increase in frequency and severity, it’s critical that organizations seek cyber liability insurance, which can help recoup losses related to cyber extortion.
- Legal support—In the wake of a cyber incident, businesses often seek legal assistance. This assistance can be costly. Cyber liability insurance can help businesses afford proper legal work following a cyber attack.
Contact Tooher-Ferraris Insurance Group today to learn more about your unique exposures and options for Cyber Liability Coverage. Using our industry specific cyber exposure scorecards we can customize a plan for your unique needs.
Business |Personal | Risk Management
Phone: 800-899-0093 | www.toofer.com | firstname.lastname@example.org
Directors and officers liability (D&O) insurance is a fundamental component of any company’s risk management program. A lack of D&O insurance may dissuade talented individuals from seeking an executive position at your company, as they don’t want to put their personal assets at risk in the event of a lawsuit.
As a savvy business owner looking to protect your bottom line, how do you weigh the cost of insurance to protect your senior leadership with the potential risk of a lawsuit? As regulatory investigations and defense expenses increase, prices for D&O insurance have gone up as well. Corporate indemnification provides the first line of liability protection; but certain circumstances—most notably, if the company goes bankrupt—necessitates that additional protection is offered to directors and officers.
A variety of factors determine the price of a company’s D&O insurance. Some low-risk companies pay pennies on the dollar; others pay a lot more, but they understand it’s a lot less than the expenses they’d incur in a lawsuit. Recognizing the cost drivers of D&O insurance—a company’s exposures, legislation and trends in D&O lawsuits—can help you decide what coverage your company needs to mitigate its unique exposures.
Company Characteristics and Exposures
Public, private and nonprofit corporations with assets of all sizes purchase D&O liability insurance. To determine the cost of premiums and the limits of coverage, insurers review several facets of the company’s structure and price D&O insurance accordingly. Some of these attributes include the following:
- Is the company mature or young and developing? Companies with less experience and a shorter history of proven effective management can be a riskier policy to underwrite than well-developed companies that have experienced directors and officers.
- What industry is the company involved in?Operating in certain industries, such as investment banking and securities, may expose their executive management to more risks than those for the board members of a small nonprofit.
- Is the company financially stable? Insurers consider the amount of debt a company has. Corporate indemnification usually protects directors’ and officers’ personal assets. However, if the company’s finances are unstable, they have an increased chance of becoming insolvent during a lawsuit.
- Is the company planning on going public soon? Initial public offerings, the most common way to go public, increases the exposures for a private company. Issues, such as a lack of disclosure or if the company’s performance fails to meet expectations, are significant risks for directors and officers during this process.
- Does your company have employees? From nonprofits to large, publicly held companies, employment-related claims are the primary cause of lawsuits against an organization’s directors and officers.
- Does the company operate in foreign markets? Conducting business internationally can complicate the D&O insurance needed. For example, in addition to domestic laws, European countries have their own set of regulations to follow.
- What is the company’s history of past litigation? Insurers will analyze a company’s history of
|What Type of D&O Coverage Do You Need? |
Your organization’s unique attributes and risks will
Side A: This coverage protects directors and officers when indemnification is not available. For example, if the company goes bankrupt during a lawsuit, this coverage would protect directors’ and officers’ personal assets.
Side B: This coverage reimburses a company’s
Side C: This coverage protects the company itself in the case of a
Employment Practices Liability (EPL): This coverage protects
directors and officers against wrongful termination,
discrimination (age, sex, race, disability, etc.) or sexual harassment suits from current, prospective or former employees.
Fiduciary Liability: This coverage protects the fiduciaries of
employee benefit plans from ERISA lawsuits, previous lawsuits
Current and New Legislation
Securities Exchange Commission (SEC) regulations continue to impact the cost of D&O insurance. Publicly held companies especially must be cognizant and keep current on SEC disclosure obligations and provisions in the Sarbanes-Oxley (SOX) Act of 2002, which was enacted in response to the corporate scandals of Enron, Tyco, WorldCom and others.
Also, recent changes to the Dodd-Frank Wall Street Reform and Consumer Protection Act have caused a spike in whistleblower reporting, bringing to light many D&O claims and increasing the need for D&O insurance. The new whistleblower provision in the Act now gives whistleblowers a “bounty,” or monetary compensation, if the lawsuit results in more than $1 million in monetary sanctions. Given this new incentive, there has already been an increase in the number of whistleblowers that have emerged since the Act added the provisions in early 2011.
Trends in D&O Lawsuits
Even after a thorough assessment of a company’s risks, D&O insurance continues to be a high-severity product, as carriers are often hit unexpectedly with catastrophic claims. It’s no surprise that as litigation increases, the price of D&O insurance increases as well. In addition, as the litigation process grows lengthier and if multiple lawsuits erupt from a single transaction, a company can quickly exhaust its primary layer of D&O coverage.
Some types of lawsuits occur less often, but result in catastrophic losses. Other types result in smaller payouts, but occur more frequently. Nonetheless, defense expenses can cost millions of dollars, even if the director or officer is not found liable. Some of the types of lawsuits that affect directors and officers include the following:
- Breach of fiduciary duty lawsuits
- Employee Retirement Income Security Act (ERISA) lawsuits
- Employment-related lawsuits
- Mergers and acquisitions (M&A) and “merger objection” lawsuits
- Securities class-action lawsuits
- Shareholder derivative suits
Within the last few years, there has been an increase in M&A lawsuits. In 2014, there were more than 600 lawsuits regarding M&A. Some M&A cases involve multiple lawsuits and a lengthy litigation process, which can deeply cut into a company’s primary D&O policy.
Know What Your Policy Covers
While many companies usually focus on the cost of their D&O policy, understanding the scope of the policy is even more critical. Most D&O policies are renewed yearly, and the terms and conditions can change. Read through your policy carefully. Be aware of the following:
- Look at the limits of your liability. Are they enough to cover your exposures? Companies with a lot of risk exposures usually find that they need more than just the primary coverage, and purchase excess insurance as well.
- Be aware of exclusions; most D&O policies do not cover claims that arise from fraudulent or criminal acts.
- For some insurance carriers, Employment Practices Liability (EPL) insurance and Fiduciary Liability insurance are policies that are purchased separately from primary D&O insurance. Don’t assume they are automatically included in your D&O policy.
Floods, lightning strikes and other common storms can endanger your home, but you also need to consider the risks of the wind damage that accompanies these weather events. High winds can cause significant damage to your home’s roof, windows, doors
Here are some ways you can protect your home:
- Roof—Inspect your roof from the ground to ensure it’s fully covered. If you notice any damage, you should consider having it inspected professionally to ensure it’s up to code and that all of the shingles are secure.
- Doors—Make sure your doors are made of a strong substance that isn’t heavy enough to present a risk if it’s torn off, such as solid wood or a hollow metal. You can also secure your existing doors by installing additional hinges or deadbolts.
- Windows—Install impact-resistant shutters on large windows to protect your home from changes in air pressure and flying objects.
- Yard—Remove any trees or other foliage that could come loose and fall on your home in high winds.
After a storm passes, you should inspect your home for damage as soon as possible. Contact Tooher-Ferraris 203.834.5900 if you need to make a claim or have questions about your insurance coverage for wind damage.
On Dec. 5, 2016, the Federal Motor Carrier Safety Administration (FMCSA) issued a final rule that aims to improve roadway safety by establishing a National Drug and Alcohol Testing Clearinghouse.
Under the final rule, motor carriers and other employers of commercial motor vehicle (CMV) drivers must use the Clearinghouse to ensure that current and prospective employees do not have any unresolved drug and alcohol violations that render them ineligible to operate a CMV. Employers will also be required to report information about positive drug test results, alcohol test results greater than 0.04 blood alcohol content, refusals to test and other non-test violations of FMCSA’s drug and alcohol regulations.
These requirements take effect on Jan. 6, 2020, the date that the Clearinghouse is scheduled to become operational. Employers, CMV drivers
- Will allow motor carriers and other employers to identify drivers who are ineligible to operate a CMV.
- Will contain information about violations by employees who are subject to drug and alcohol testing under FMCSA regulations.
- Employers must use the database to ensure current and prospective employees do not have unresolved violations.
- Jan. 6, 2020—Employers must begin using the Clearinghouse and must also make manual inquiries with former employers.
- Jan. 6, 2023—Employers will no longer be required to request data from a driver’s previous FMCSA-regulated employers.
What information will the Drug and Alcohol Clearinghouse contain?
The Clearinghouse will contain records of violations of drug and alcohol prohibitions in 49 CFR part 382, subpart B, including positive drug or alcohol test results and test refusals. When a driver with a drug and alcohol program violation completes the required Return-to-Duty (RTD) process, this information will also be recorded in the Clearinghouse.
Who is authorized to use the Clearinghouse?
To access the Clearinghouse (once it is operational), a user must request access from the FMCSA by registering. Authorized users will include:
- Motor carriers and other employers with drivers operating CMVs that require a commercial driver’s license (CDL) or commercial learner’s permit (CLP);
- CDL/CLP drivers;
- Consortium/third-party administrators;
- Medical review officers;
- Substance abuse professionals;
- State driver licensing agencies; and
- Federal and state enforcement personnel
Will a prospective employee’s drug and alcohol violation history with Department of Transportation (DOT) modes other than the FMCSA be available in the Clearinghouse?
No. The Clearinghouse will contain only drug and alcohol program violation information for employees subject to the testing requirements under the FMCSA regulations in 49 CFR part 382. Employers must continue to request information from previous employers if an employee was subject to DOT drug and alcohol testing required by a DOT modal administration other than FMCSA (as required by §391.23(e)(4)(B)).
May employers report the results of non-DOT drug or alcohol tests to the Clearinghouse?
No. Only results of DOT drug tests, alcohol tests or test refusals may be reported to the Clearinghouse. While employers may conduct drug and alcohol testing that is outside the scope of the DOT testing requirements, positive test results or refusals for such non-DOT testing may not be reported to the Clearinghouse.
What actions will drivers be able to take in the Clearinghouse?
Drivers will need to log into the Clearinghouse in order to electronically consent to requests from prospective and current employers that need to access full details about any drug and alcohol program violations as part of an employment-related background check. This is the only valid method for an employee to respond to this type of employer consent request, and failure to provide timely consent may result in a driver being prohibited from performing safety-sensitive functions for that employer.
Drivers may log in to the Clearinghouse to view their individual driver record at any time. Also, if a driver chooses to engage a Substance Abuse Professional (SAP), he or she must select the SAP through the Clearinghouse to initiate the RTD process.
How are employers and Consortium/Third-Party Administrators required to use the Clearinghouse?
The Clearinghouse offers employers a centralized location to report drug and alcohol program violations and to check whether a current or prospective employee is prohibited from performing safety-sensitive functions, such as operating a CMV, due to an unresolved drug and alcohol program violation—that is, a violation for which the employee has not completed the RTD process. Employers must conduct this test, or query, as part of any pre-employment screening and at least annually after an employee is hired.
Employers may also use the Clearinghouse to designate a consortium/third-party administrator, which is a required step for any employer that employs him- or herself as a driver.
How are Medical Review Officers (MROs) and Substance Abuse Professionals (SAPs) required to use the Clearinghouse?
MROs must use the Clearinghouse to report verified positive drug test results and any driver refusals to take a drug test.
SAPs must use the Clearinghouse to report on the RTD status of drivers who are working to resolve any open drug and alcohol program violations. These reports include the date of completion of the initial assessment and the date the driver becomes eligible for RTD testing.
How will State Driver Licensing Agencies (SDLAs) use the Clearinghouse?
As of Jan. 6, 2020, SDLAs will be able to query the Clearinghouse prior to completing licensing transactions.
How will driver data be protected in the Clearinghouse?
The Clearinghouse will meet all relevant federal security standards, and the FMCSA will verify the effectiveness of the security protections on a regular basis.
Driver information will not be available to the public. Only authorized users will be able to register and access the Clearinghouse for designated purposes. The Clearinghouse will require authentication (username/password) to access records.
Drivers registered in the Clearinghouse will be able to access their Clearinghouse records at any time, and at no cost to them. Drivers will only be able to access their own information, not information about other drivers.
The FMCSA will only share detailed drug and alcohol violation information with prospective or current employers when an employer has requested and received specific consent from the driver. Drivers will be able to see the information that would be released to an employer before consenting to the release.
Driver information will be shared only with the FMCSA and other enforcement agencies as required to enforce drug and alcohol use testing regulations.
Does the final rule change any of the existing drug and alcohol program requirements in part 40?
No, the final rule does not change any existing requirements in the US DOT-wide procedures for transportation workplace drug and alcohol testing.
Source: U.S. Department of Transportation, Federal Motor Carrier Safety Administration
Business operations in the technology industry revolve around the functionality of computers, network connections and the Internet. It’s no secret that computer use comes with many risks, including damaging viruses, hackers, the illegal use of your system to attack others, the use of sensitive data to steal identities and other illegal actions. As a result, companies must respond by preventing, detecting and responding to cyber attacks through a well-orchestrated cyber security program.
Get Familiar with Risks
The first step in protecting your business is to take notice of the multitude of cyber risks:
Hackers, attackers and intruders: These people seek to exploit weaknesses in software and computer systems for their personal gain. Although their intentions are sometimes benign, their actions are typically in violation of the intended use of the systems that they are exploiting. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to malicious activity (stealing or altering data).
Malicious code (viruses, worms and Trojan horses):
- Viruses: This malicious code requires a user to take action to let a virus into the system, such as opening an email attachment, downloading a file or visiting a webpage.
- Worms: Once released, this code reproduces and spreads through systems on its own. They usually start by exploiting a software flaw; then, once the victim’s computer is infected, the worm will attempt to find and infect other computers through a network.
- Trojan horses: This disguised code claims to do one thing while actually doing something else. For example, a program that claims to speed up your computer system but is actually sending confidential information to a remote intruder.
Risk Management Planning
To reduce your cyber risks, it is wise to develop an IT risk management plan at your organization. Risk management solutions utilize industry standards and best practices to assess hazards from unauthorized access, use, disclosure, disruption, modification or destruction of your organization’s information systems. Consider the following when implementing risk management strategies at your organization:
- Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, the data stored and processed, and importance to the organization.
- Review the cyber risk plan on an annual basis and update it whenever there are significant changes to your information systems, the facilities where systems are stored or other conditions that may affect the impact of risk to the organization.
In addition, your organization should take precautionary measures when selecting your internet service provider (ISP) for use for company business.
Almost all ISPs offer Web browsing capabilities with a varying degree of user support and Web hosting capabilities. Your company should determine what ISP to use, along with a plan for backing up emails and files and what firewalls to implement.
To select an ISP that will reduce your cyber risks, consider the following:
- Security: How concerned with security is the ISP? Does it use encryption and secure sockets layer (SSL) to protect any information that you submit?
- Services: Does your ISP offer the services that you want and do they meet your organization’s needs? Is there adequate support for the services provided?
- Cost: Are the ISP’s costs affordable and are they reasonable for the number of services that you receive? Are you sacrificing quality and security to get a lower price?
Reliability: Are the services provided by the ISP reliable, or are they frequently unavailable due to maintenance, security problems
User support: Are there any published methods for contacting customer service, and do you receive prompt and friendly service? Do their hours of availability accommodate your company’s needs?
Speed: How fast is your ISP’s connection, and is it sufficient for your business needs?
Recommendations: What have you heard from industry peers about the ISP? Were they trusted sources? Does the ISP serve your geographic area?
Cybersecurity is a serious concern for your business. Contact Tooher Ferraris Insurance Group to learn about our risk management resources and insurance solutions for emerging technology exposures.
By Feb. 1 of each year, employers that are subject to the Occupational Safety and Health Administration’s (OSHA) routine recordkeeping requirements must post copies of their completed OSHA Form 300A (“Summary of Work-related Injuries and Illnesses”) from the previous year in visible locations within their employees’ workplaces. The postings must then be kept in place until at least Apr. 30 every year. These requirements apply to all employers that are not in a partially exempt industry and have more than 10 employees.
On Feb. 1, 2019, employers subject to OSHA recordkeeping requirements must ensure that copies of their completed Forms 300A from 2018 are posted in each of their establishments in a conspicuous place or places where notices to employees are customarily posted.
Until Apr. 30, 2019, these employers must also ensure that their Form 300A postings remain in place and are not altered, defaced or covered by other material.
February 1 to April 30, 2019
Employers must post and keep their completed 2018 Forms 300A posted in their employees’ workplaces.
March 2, 2019
Deadline for certain employers to submit electronic reports to OSHA.
Contact Tooher-Ferraris today to learn more about our integrated insurance and risk management programs at 203-834-5900 or email@example.com.
Because of all they can offer, smartphones and tablet devices are essential to many professions’ daily operations. However, as use rises, it will become more and more important to ensure that security for these mobile devices is able to adequately protect you from new and existing threats.
The need for proper phone security is no different than the need for a well-protected computer network. Gone are the days when the most sensitive information on an employee’s phone is contact names and numbers. Now a smartphone could grant access to any number of applications, emails and stored passwords. Depending on how your organization uses such devices, unauthorized access to the information on a smartphone or tablet could be just as damaging as a data breach involving a more traditional computer system.
Lost or Stolen Devices
Because of their size and nature of use, mobile devices are at an increased risk of being lost or stolen. Since most devices automatically store passwords in their memory to keep users logged in to email and other applications, having physical possession of the device is one of the easiest ways for unauthorized users to access private information.
To prevent someone from accessing a lost or stolen device, the phone or tablet should be locked with a password. The password should be time sensitive, automatically locking the phone out after a short period of inactivity. Most devices come with such security features built in, which is something you should consider before purchasing. Depending on your cellphone provider, there are also services that allow you to remotely lockdown or erase a device in the event that it is lost or stolen.
Mobile devices have the potential to be just as susceptible to malware and viruses as computers, yet many businesses don’t consider instituting the same type of safeguards. As reliance on these devices continues to grow, so will their attractiveness as potential targets. Third-party applications are especially threatening as a way for malware to install itself onto a device. Employees should never install unauthorized applications to their company devices.
Like any potential exposure, the level of risk brought on by mobile devices is based largely on how your company uses them. Conduct a formal risk assessment to see where your biggest risks are. Also establish when to conduct follow-up assessments to account for new exposures created by the ever-advancing state of technology.
Establish a Smartphone Policy
Before issuing smartphones to your employees, establish a device usage policy. Outline what does and does not constitute acceptable use and what actions will be taken if employees violate the policy. It is important that employees understand the security risk inherent to smartphone use and their role in its mitigation. Well informed, responsible users act as an invaluable layer of security protecting mobile devices.