FLEET OPERATORS face an increased risk of potential liability if they are not diligent about checking their drivers’ moving violation records with the state Department of Motor Vehicles, in addition to the Federal Motor Carrier Safety Administration’s Drug and Alcohol Clearinghouse.

As of 2020, it became mandatory that all motor carriers sign up their drivers in the Clearinghouse and run their driver rosters through the system to clear them for duty. But many companies are skipping this step and only checking their drivers’ records with the DMV, which may not reflect any suspensions issued by the Clearinghouse.

Clearinghouse rules require that drivers be tested for drugs prior to being hired and randomly throughout the year. This helps employers weed out drivers who may be at higher risk of both moving violations and accidents.

The Clearinghouse

The Clearinghouse was created to keep commercial drivers who have violated federal drug and alcohol rules from lying about those results and getting a job with another motor carrier.
This electronic database tracks commercial drivers’ license holders who have tested positive for prohibited drug or alcohol use, as well as refusals to take required drug tests, and other drug and alcohol violations.

The Clearinghouse tracks a driver’s drug and alcohol tests and bars them from operating commercial vehicles after they fail a test. If they want to return to driving, they must successfully pass a return-to-duty process that includes substance abuse treatment and a test to evaluate their readiness.

The restriction can be lifted if the driver signs up for a Clearinghouse program that will test them 14 times in two years, with the first 12 tests having to occur in the first year.
This cost all comes out of the driver’s pocket.
This system is an important check on drivers and helps employers reduce their exposure.
The Department of Motor Vehicles is required to check the Clearinghouse before issuing a new or renewing a commercial driver’s license.

The takeaway

While it is the law that employers follow Clearinghouse procedures, because it’s a new system, many companies are failing to follow the rules.
If you are relying only on pulling a driver’s moving violation record and not the Clearinghouse, you are in breach of regulations and could leave your firm exposed.
If you employ a driver who is under suspension from driving by the Clearinghouse and they are involved in an accident, the victims could build a case that your organization was negligent in letting the individual drive and not checking the Clearinghouse first.
If they can prove negligence on a fleet operator’s part, the business could be in for a hefty court judgment.

The Equal Employment Opportunity Commission has issued new guidance on how employers can properly use software, algorithms and artificial intelligence-driven decision-making tools when screening job applicants and selecting candidates.
The EEOC has grown concerned about possible adverse impacts of these technologies that can help employers with a wide range of employment matters, like hiring decisions, recruitment, retention, monitoring performance, and determining pay, promotions, demotions, dismissals and referrals.
The guidance follows the EEOC’s recent announcement that it would pursue enforcement of violations of Title VII of the Civil Rights Act of 1964 and other statutes under its jurisdiction arising from use of AI in employment decisions.

The new guidance includes a series of questions and answers to help employers prevent the use of AI and other technologies from leading to discrimination on the basis of on race, color, religion, sex or national origin, in violation of Title VII.

Main points of the guidance:

Responsibility: Employers are ultimately responsible for discriminatory decisions rendered by algorithmic decisionmaking tools, even if they are administered by another entity,
such as a software vendor.
Assessment: Employers should assess whether their use of technology has an adverse impact on a particular protected group by checking whether use of the procedure causes a selection rate for individuals in the group that is “substantially” less than the selection rate for individuals in another group.

The selection rate for a group of applicants or candidates is calculated by dividing the number of persons hired, promoted or otherwise selected from the group by the total number of candidates in that group.
If an employer is in the process of implementing a selection tool and discovers that using it would have an adverse impact on individuals of a protected class, it can take steps to reduce
the impact or select a different tool, per the guidance.
If an employer fails to adopt a less discriminatory algorithm than that which was considered during the implementation process, it could result in liability, according to the EEOC.

The takeaway

Employers using algorithmic decision-making tools for employment decisions need to take the same care as they do when making employment moves without assistance from technology.
Firms should not implement these technologies without considering possible adverse decision-making that could lead to violations of the law and prompt litigation and regulatory
action by the EEOC.
Experts advise that you move forward carefully and work with the vendor to ensure the technology doesn’t get your organization in trouble.

A new report found that one-third of companies who are hit with ransomware and pay the hackers to unlock their systems, are often likely to be targeted a second time.

And after they pay, they are often faced with significant consequences, including system rebuilding costs, their data still being leaked and financial consequences, according to the “2022 Cyber Readiness Report” by Hiscox. The eye-opening results of the study come as the number of businesses hit by cyber attacks continues growing.

Considering the potential damage to your organization if your systems are compromised in the aftermath of a ransomware attack, even if you have cyber insurance to pay recovery costs, it’s best to take steps to thwart attacks in the first place.

More than ransom

It’s clear that paying a ransom often doesn’t mean the recovery for an affected business will be smooth, according to the report, which covers the poll results of 5,000 organizations.

The risk

Nearly half (47%) of firms reported that they had been hit by a cyber attack during the past 12 months, up from 40% in 2021. Of those who were attacked, 17% were ransomware victims.
The median cost of an attack has risen 29% to just under $17,000.
Small firms can no longer expect to fly under the radar as the criminals increasingly have them in their sights.

 

What you can do

Some firms have little exposure to a cyber attack, particularly if they don’t handle customer data or are not techdriven operations. Each firm has a different exposure level.
For companies that have cyber exposure, protecting their organization requires a multi-pronged approach that includes cyber insurance and strong data security protocols.
Cyber insurance may cover the cost of a paid ransom as well as recovery and rebuilding costs. If your organization has exposure, please give us a call to review your risk and see if cyber insurance is right for your business.

Besides that, Hiscox recommends taking a number of steps to protect against an attack and be able to recover from one faster:

1. Keep all of your software up to date to include the installation of all the latest security patches.
2. Frequently back up your data on a server that is not hooked up to the cloud.
3. Train workers on how to recognize and avoid common social engineering attacks that criminals use to trick them into revealing sensitive information about themselves or their company.
4. Teach your staff how to detect potentially dangerous e-mails that try to get them to click on a malicious link that can unleash ransomware or other malware.

A slew of new laws and regulations that will affect California businesses are taking effect for 2023.

Last year was a busy one, with ground-breaking new laws on employee pay disclosures, a law prohibiting discrimination against cannabis-using employees and another expanding the circumstances when employees can take leave to care for a loved one. The following are the top 10 laws and regulations that employers in the Golden State need to stay on top of.

1.  Pay disclosure

This sweeping law in part requires more disclosure of pay information by employers. Under current law, employers are required to provide the pay scale for a position upon reasonable request by a job applicant. SB 1162 goes a step further by:

• Requiring employers, upon request by a current employee, to provide the pay scale of the position they are employed in.
• Requiring employers with 15 or more workers to include pay scale in any job postings for open positions.
• Requiring employers to maintain records of job titles and wage rate history for each employee while employed for the company, as well as three years after their employment ceases.

Note: The law defines “pay scale” as the salary or hourly wage range that the employer “reasonably expects” to pay for the position. Penalties range from $100 to $10,000 per violation. This law took effect Jan. 1, 2023.

 

 2.  State of emergency and staff

This new law, SB 1044, bars an employer, in the event of a state of emergency or emergency condition, from taking or threatening adverse action against workers who refuse to report to, or leave, a workplace because they feel unsafe. “Emergency condition” is defined as:

• Conditions of disaster or extreme peril to the safety of persons or property caused by natural forces or a criminal act.
• An order to evacuate a workplace, worksite or worker’s home, or the school of a worker’s child due to a natural disaster or a criminal act.

SB 1044 also bars employers from preventing employees from using their mobile phones to seek emergency assistance, assess the safety of the situation or communicate with another person to confirm their safety. The law, which took effect Jan. 1, 2023, does not cover first responders and health care workers.

 

3. Cannabis use and discrimination

This law bars employers from discriminating in hiring, termination or other conditions of employment based on employees using cannabis while off duty. The bill’s author says the legislation is necessary because THC (tetrahydrocannabinol), the active ingredient in marijuana, can stay in a person’s system after they are no longer impaired. As a result, drug testing may detect THC in an employee’s system even if they used it weeks earlier and it is having no effect on their job performance. AB 2188 does not require employers to permit employees to be high while working. The bill would exempt construction trade employees and would not preempt state or federal laws that require employees to submit to drug testing. This law takes effect Jan. 1, 2024.

4.  Leaves of absence

The California Family Rights Act and the state’s paid sick leave law allow employees to take leave to care for a family member, defined as a spouse, registered domestic partner, child, parent, parent-in-law, grandparent, grandchild or sibling. The definition has been expanded to include “any individual related by blood or whose association with the employee is equivalent of a family relationship.”

5.  Contractor workers’ comp

Starting July 1, the following contractors must carry workers’ compensation coverage regardless of if they have employees or not:

• Concrete (C-8 license)
• Heating and air conditioning (C-20)
• Asbestos abatement (C-22), and
• Tree service (D-49).

Starting Jan. 1, 2026, all licensed contractors must have coverage.

6.  OSHA citation postings

Under current law, employers that receive citations and orders from OSHA are required to post them in or near the place the violation occurred, in order to warn employees about a potential hazard. Starting Jan. 1, 2023, they must post the notice not only in English, but also: Spanish, Chinese (Cantonese, Mandarin), Vietnamese, Tagalog, Korean, Armenian and Punjabi.

7.  Permanent COVID standard

Cal/OSHA has a permanent COVID-19 prevention standard that will sunset in 2024. The new standard, which replaces the temporary emergency standard the agency had implemented, should provide more certainty for prevention procedures and practices. Here are the main takeaways:

• Employers are no longer required to pay employees while they are excluded from work due to COVID-19, or to screen employees daily.
• Employers must still notify and provide paid testing to employees who had a close contact in the workplace.
• Employers can now incorporate written COVID-19 procedures into their Injury and Illness Prevention Programs.

8.  CalSavers expanded

SB 1126 requires any person or entity with at least one employee to either provide them with access to a retirement program like a 401(k) plan or enroll them in the state-run CalSavers program. Prior to this new law only companies with five or more employees that do not offer a retirement plan are required to enroll their workers in CalSavers.

9.  Bereavement leave

Employers with five or more workers are required to provide up to five days of bereavement leave upon the death of a family member, under a new law starting in 2023. This leave may be unpaid, but the law allows workers to use existing paid leave available to them, such as accrued vacation days, paid time off or sick leave. Employers are authorized to require documentation to support the request for leave.

10.  PFL wage replacement

This law was passed last year but does not take effect until 2025. Existing California law allows employees to apply for Paid Family Leave and State Disability Insurance, both of which provide partial wage replacement benefits when employees take time off work for various reasons under the California Family Rights Act. Starting in 2025, low-wage earners (those who earn up to 70% of the state average quarterly wage) will be eligible for a higher percentage of their regular wages under the state’s PFL and SDI benefit programs.

EVERY YEAR starts with a flurry of new laws and regulations that California employers have to contend with.
And 2022 is no different as the California legislature had a busy year and the stresses of the COVID-19 pandemic resulted in more activity. The end result is another round of new laws that employers need to stay on top of so they don’t run afoul of them.
With no further ado, here are the top regulations and laws affecting California businesses.

 

1. Big change to Cal/OSHA citations

SB 606 adds two new Cal/OSHA violation categories for purposes of citations and abatement orders: “enterprisewide” and “egregious” violations. Cal/OSHA can issue an enterprise-wide citation that would require abating the violation at all locations. And the employer can face a maximum penalty of $124,709 per violation.
The law also authorizes the agency to issue a citation for an egregious violation if it believes that an employer has “willfully and egregiously” violated a standard or order. Each instance of employee exposure to that violation will be considered a separate violation and fined accordingly.

 

2. Permanent COVID standard

On Sept. 17, 2021, Cal/OSHA released a draft text for proposed permanent COVID-19 regulations, which if adopted would be subject to renewal or expiration after two years and would replace the current emergency temporary standard, which is set to expire Jan. 14, 2022.
Adoption is expected in the spring of 2022. Here’s some of what the draft standard would do:

CDPH rules – It would require that employers follow California Department of Public Health COVID-19 prevention orders.
Masks for unvaxxed staff – Unvaccinated staff must wear masks. Employers must provide masks when the CDPH requires them.
Outbreak rules – During an outbreak in the workplace, all staff would be required to wear face coverings regardless of vaccination status. Employers would need to provide respirators during major outbreaks to all employees.

 

3. COVID exposure notification

On Oct. 5, 2021, AB 654 took effect, updating requirements for what an employer must do if there is an outbreak of COVID-19 cases at its worksites.
This law somewhat curtailed earlier outbreak-reporting requirements as well as other required notifications for certain employers, and updated several provisions of the 2020 outbreak notification law, AB 685.
Here are some highlights:

• Employers have one business day or 48 hours, whichever is later, to report a workplace COVID-19 outbreak to Cal/OSHA and local health authorities.
• Employers do not need to issue these notices on weekends and holidays.
• When an employer has multiple worksites, it only needs to notify employees who work at the same worksite as an employee who tests positive for  coronavirus.
• The new definition of “worksites” for the purposes of the law has been changed to exclude telework.

 

4. Expansion of the California Family Rights Act

AB 1033 expands the CFRA to allow employees to take family and medical leave to care for a parent-in-law with a serious health condition.
More importantly, it adds a requirement that mediation is a prerequisite if a small employer (one with between five and 19 workers) is the subject of a civil complaint filed by one of its employees.

 

5. Workplace settlement agreements and NDCs

A new law took effect Jan. 1 that bars employers from requiring non-disclosure clauses in settlement agreements involving workplace harassment or discrimination claims of all types. This builds on prior law that barred NDCs only in cases of sex discrimination or sexual harassment.
The new law expands that prohibition to all protected classes, such as: race, religion, disability, gender, age, and more.
One important note: While employees can’t be prohibited from discussing the facts of the case, employers can still use clauses that prohibit the disclosure of the amount paid to settle a claim.

 

6. OSHA vaccine mandate

As of this writing, Fed-OSHA’s new emergency COVID-19 standard was set to take effect on Jan. 1, with the most contentious part of the rule mandating that employees who work for employers with 100 or more staff be vaccinated or submit to weekly testing.
Unvaccinated workers would also be required to wear masks while on the job under the new rules, which have faced fierce challenges in courts.
The U.S. Court of Appeals for the Sixth District recently reversed a stay of the order as challenges to it are litigated, meaning the order can take effect as scheduled as the legal process challenging the rule proceeds.
The U.S. Supreme Court will hear expedited arguments Jan. 8 on the U.S. Court of Appeals for the Sixth Circuit’s decision to lift the Fifth Circuit’s stay.

 

7. Wage theft penalties

AB 1003, which took effect Jan. 1, added a new penalty to the California Penal Code: Grand Theft of Wages. The new law makes an employer’s intentional theft of wages (including tips) of more than $950 from one employee, or $2,350 for two or more workers, punishable as grand theft.
The law, which also applies to wage theft from independent contractors, allows for recovery of wages through a civil action.
As a result, employers (and potentially managers and business owners) would be exposed to both criminal and civil liability for wage and hour violations like failing to pay staff accurately and in a timely manner.
Review your compensation policies and practices to make sure you are in compliance with current wage and hour laws.

 

8. COVID cases may be included in X-Mods

The Workers’ Compensation Insurance Rating Bureau of California has proposed plans to start requiring COVID-19 claims to be included when calculating employers’ X-Mods.
The proposal, which would have to be approved by the state insurance commissioner, would bring to an end current rules that exclude the impact of COVID-19 workers’ compensation claims on X-Mods.
If approved, the new rule would take effect on Sept. 1, 2022. That means that employers will be held accountable for COVID19-related workers’ compensation claims and, if any employee needs treatment or dies from the coronavirus, it could result in higher premiums in the future.

 

9. Notices can be e-mailed

A new state law authorizes employers to distribute required posters and notices to employees via e-mail. SB 657 adds e-mail as a delivery option to the list of acceptable notification methods, which also includes mail.
Required posters and notices will still need to be physically posted in the workplace.

 

10. Warehouse quota rules

A new law that took effect Jan. 1 makes California the first (and only) state to regulate quotas used by warehouse employers.
While the bill was written with Amazon Inc. in mind, it affects all warehouses with 100 or more workers, and violations of the new law can be costly for an employer.
Under AB 701, warehouse employees must be provided with a written description of the quotas to which they are subject within 30 days of hire. Common quotas include the number of tasks the employee is required to perform, the materials to be produced or handled, and any adverse employment action that may result from a failure to meet the quota.

 

While employers may still implement quotas, employees are not required to meet a quota if it:

• Prevents them from taking required meal or rest periods,
• Prevents them from using the bathroom (including the time it takes to walk to and from the toilet), or
• Contravenes occupational health and safety laws. The law also bars employers from discriminating, retaliating or taking other adverse action against an employee who:
• Initiates a request for information about a quota or personal work-speed data, or
• Files a complaint alleging a quota violated the Labor Code.

 

AS THE CONSTRUCTION industry booms, contractors face evolving risks that, left unchecked, can leave their operation exposed to new liabilities.
If you already operate a construction firm, you know that there is a labor shortage that has made it difficult to find experienced workers and that hiring entities are asking builders to take on more of the design function, as well.
Your liability picture has also likely changed with the increasing use of wrap-ups and, if you’re using technology in your operation, you now have rising cyber-security risks, too.

Lack of qualified workers

The bottom fell out of the construction industry in the U.S. during the first few months of the COVID-19 pandemic, and many worksites were idled. Now that the industry has found its footing, it’s been dealing with a severe labor shortage.
As construction firms struggle to find workers, the ones who are on the job are having to take on larger workloads, which can put them at risk of injury or making mistakes.
Also, many contractors are having to take on younger, less-seasoned laborers, who may lack the experience to identify and avoid hazards, which puts them and others at risk of injury. Those injuries in turn affect your workers’ comp
premiums.
A lack of workers coupled with inexperienced new ones on sites can also end up drawing out projects, forcing contractors to miss deadlines.

Professional liability risks

As more project owners want an all-in-one job with the lead contractor designing and building the project, contractors now face a new type of risk: professional liability.

But the typical contractor’s insurance policy doesn’t provide protection for any design work you take on.
Courts have ruled that:

• Designers who perform “builder activities” lose limitation of liability typically enjoyed by design professionals.
• Builders who perform “design activities” assume responsibility for design deficiencies.

Wrap-ups more prevalent

Many construction projects are now covered under one general liability policy to cover the work of the general contractor, as well as of all the subs. More lenders are requiring that liability is set up in one all-encompassing policy.
A properly assembled general liability wrap-up should provide coverage not only during the construction period, but also up to 10 years after the work is completed.  These policies often reduce the cost of coverage.

More cyber-security risks

Like all industries, the construction sector has grown increasingly reliant on technology to get the job done. That exposes contractors to a variety of cyber risks, including keeping project designs, client records and employee records confidential.
Many building contracts today include clauses requiring the contractor to be responsible for potential cyber breaches.
Given the increasing popularity of practices such as “building information modeling,” “integrated project delivery,” and file-sharing between participants in a construction project, contractors may be at increased risk of liability in the event of a data breach.

MORE BUSINESSES in wildfire-prone areas are facing a difficult commercial property insurance market as insurers reduce their exposure and some have left the market altogether.

Many businesses in areas that have already been ravaged by fires in the past, or those located in areas that are near forests and large grassy areas are seeing their premiums increase – sometimes substantially by 300% or 400%.
Also, more businesses are finding few insurers that are willing to cover their properties.

According to a new report by insurance rating firm AM Best, California wildfires have caused over $4 billion in commercial property losses for insurers in three of the past four years.

It’s expected that 2021 fire losses could be even greater than those of the prior four years.

The fallout

• Some insurers have stopped writing property insurance in high-risk areas.
• Most insurers are increasing their rates substantially in high-risk areas.
• Insurers are requiring policyholders to have mitigation measures like defensible space (see below).
• Many policies have worse terms. One winery owner interviewed by the Los  Angeles Times said that his premium was typically $200,000 with a $25,000 deductible. His new policy costs $800,000 and includes a $500,000  deductible, and would only cover 20% of the value of his buildings.

The new playbook

Many insurers are applying three metrics in evaluating exposure to fire:
Brush mapping – This is a map of the tinder and brush, nearby trees, and other items that could contribute to your building(s) catching fire.
Wildland-urban interface – The closer that a building is to nature, the more at risk it is. A wildland-urban interface is defined by the Forest Services as a place where “humans and their development meet or intermix with wildland fuel.”
Concentration of properties an insurer covers in your area – If your carrier has a high concentration of policies for other properties in your area, they may opt to non-renew policies in order to reduce their exposure.

 

 

 

 

 

 

PROTECTING YOUR COMMERCIAL PROPERTY

• Zone 1 (0-5 feet): Concrete, gravel mulch, and low-growing plants or lawns are good choices for this zone. Avoid combustible materials.
• Zone 2 (5-30 feet): Vegetation island. Prune low tree branches. Remove shrubs.
• Zone 3 (30-100 feet): Thin out vegetation between trees. Don’t let tree canopies touch.

The California FAIR Plan Is the Market of Last Resort 

Coverage options

If all insurers have rejected a property, we have two options:

– The non-admitted market – These insurers, which include Lloyd’s of London, are usually willing to write buildings in higher-risk areas, but they too have increased their underwriting criteria.

– The California FAIR Plan – If we cannot find an insurer in the non-admitted market, the last choice is the FAIR Plan, which is the market of last resort for property owners that cannot get coverage elsewhere.

Policies cover losses from fire, lightning, and explosion only.
Also, policies are limited in what they will payout, so if you have millions of dollars tied up in equipment and/or inventory, the policy may not be enough to cover all the damage you incur from a wildfire.

The maximum limit for commercial properties is $3 million for structures and $1.5 million for all other coverages, for a combined $4.5 million limit for all commercial properties at one location. But there are some exceptions.

Your options if you go to the FAIR Plan

If the FAIR Plan coverage is not enough for your needs, we can find another insurer that provides excess coverage that
would kick in at a certain dollar amount of damage.

And for risks that are not covered, we would have to also find you a “differences in conditions” policy. Combined with FAIR Plan coverage, adding such a policy can nearly mimic the coverage of a commercial policy.

 

SOME BUSINESSES are finding fewer insurers willing to write their policies for certain types of coverage that are seeing rapidly rising claims costs, particularly in liability lines as well as property insurance in areas with exposure to natural catastrophes.
When no insurers that are licensed in California are willing to write a policy, we as your agent have to go to another market made up of insurance companies that are not licensed or regulated by the state.
It’s called the surplus lines (or “non-admitted”) market, and it can be a valuable alternative for insurance buyers.
As insurers get more selective writing some risks, it’s important for you as an insurance buyer to understand this market.

Why use a non-admitted carrier?

The most well-known non-admitted insurer is Lloyd’s of London, famous for insuring insurance companies and celebrities’ or sports figures’ body parts and global sporting events. Often non-admitted insurance companies are located in other states or domiciled abroad, like Bermuda or another tax-haven country.
Unlike licensed insurance companies, non-admitted companies do not have to obtain approval from state regulators for the policy forms they use or the rates they charge.

 

 

Since they are not regulated by the state, non-admitted insurers can offer creative coverage options and they can quickly and easily introduce new types of insurance that businesses need.
Some types of policies that are standard today, such as cyber insurance and employment practices liability insurance, got their start in the non-admitted market.
State laws typically permit a broker to obtain coverage from a non-admitted insurer only if at least a few standard insurance companies refuse to offer coverage. However, most also have coverage options that are not available in the standard market.
When someone needs one of the latter coverages, no rejections from licensed companies are required. An example might be liability insurance for contractors who demolish buildings.

Risks

There are risks to purchasing insurance in the non-admitted market. Policies may provide less coverage than do standard policies, or there may be restrictions on when coverage applies. Policies should be reviewed carefully. Also, because the insurers can charge whatever they feel is appropriate, premiums can be higher than you may expect. The policies may also be exempt from state laws regarding notices of cancellation and non-renewal.
Also, in every state but one (New Jersey), non-admitted policies are not backed by a guaranty fund. Guaranty funds cover claims left unpaid when an insurer is unable to pay for them. If a non-admitted company becomes insolvent, the policyholder has no recourse.

The takeaway

Despite the risks, the non-admitted market serves an important function, giving buyers a place to get needed coverage that would be otherwise unavailable.
Those who think they may need to tap this market should consult with us to find the right coverage at an acceptable price.

BUSINESS COMPROMISE scams that use both technology and a human touch to steal funds from businesses are growing as criminals engage in social engineering tactics to dupe unsuspecting employees.

Businesses have lost millions of dollars to social engineering scams, where attackers impersonate a company president or executive who is authorized to approve wire transfers to trick employees into transferring funds into a fake client or vendor account.

According to the FBI’s Internet Crime Complaint Center, in 2019 U.S. businesses were hit with an estimated 23,775 e-mail compromise scams that
resulted in aggregate losses of $1.7 billion. Figures for 2020 are not yet available.

Vishing – or voice phishing – attacks have been growing. The FBI in January warned of an increase in vishing attacks targeting employees working remotely in the COVID-19 pandemic, and of the heightened risks companies face when network access and broadening of online privileges may not be fully monitored.

 

How to train employees

Providing practical employee phishing training is key to keeping your company safe. The following are activities and tips to help you train employees to stay vigilant.

Remote workers should be vigilant in checking internet addresses, more suspicious of unsolicited phone calls, and more assertive in verifying the caller’s identity with the company, the FBI recommends.

When training staff, you should:

• Explain what vishing and phishing is, how it happens, and what risks it poses on a personal and company level.
• Explain the different types of phishing attacks.
• Train your workers in identifying signs of phishing attacks, like e-mails with poor spelling and grammar, incorrect e-mail addresses (for example BobS@ Startbucks.com), and fraudulent URLs.
• Train your staff in recognizing phishing links, phishing attachments, and spoofed e-mails. Additionally, your employees should know what steps to take after they identify a threat.
• Conduct simulations that send employees fake phishing e-mails. The results should be shared with them to show how they fell for the scam and the damage that being duped into clicking on a malicious link can cause.

 

Insurance

As vishing and business e-mail compromise scams increase, more employers are seeking to add coverage in their commercial crime policies.
Typically, these policies have been used to cover losses for internal theft, but lately, about 50% of claims are for losses related to phishing and fishing scams.
The price of social engineering coverage varies by risk and limit, but it can often be added to a crime policy as a rider.
One thing though: social engineering coverage will often have lower limits than a typical commercial crime policy. This is because of the risk of much larger financial losses than a company could expect from internal theft or white-collar crime perpetrated by an employee.

 

ADVICE FROM THE FBI

• Consider instituting a formal process for validating the identity of employees who call each other.
• Restrict VPN connections to managed devices only (meaning not on employees’ personal devices).
• Restrict VPN access hours.
• Employ domain monitoring to track the creation of or changes to corporate brand-name domains.

CYBER INSURANCE rates are going to increase dramatically in 2021, driven by more frequent and more severe insured losses, according to a recent industry study.

The report by global insurance firm Aon plc predicted that rates would jump by 20% to 50% this year due to two main factors:

 

1. Cyber attacks are becoming more frequent

While publicly disclosed data breach/privacy incidents are actually occurring less often, ransomware attacks are exploding in frequency.

Ransomware incident rates rose 486% from the first quarter of 2018 to the fourth quarter of 2020. The comparable rate for data breach incidents fell 57% during the same period. The incident rates for the two types of events combined rose 300% over the trailing two years.

 

2. The costs of these attacks are growing

The average dollar loss increased in every quarter of 2020. Ransomware attacks were particularly severe – many of them resulted in eight-figure losses. Others may grow to that level as business interruption losses are adjusted and lawsuits against insured organizations proceed.

The combination of more frequent and more costly losses is a
recipe for higher rates.

Cyber insurance rates continued increasing in 2020, with rises of between 6% and 16% in the last four months of the year. In January 2021, most of the top 12 cyber insurance companies told Aon they were planning more drastic rate hikes. Nearly 60% reported that they would be seeking rate increases of 30% or more during the second quarter. None of them expected increases less than 10%.

 

New underwriting criteria

When insurers evaluate cyber insurance applicants, they will be particularly concerned with the organization’s overall cyber risk profile, its cyber governance and access control practices, and its network and data security. Prior loss history will be less important because the frequency of attacks is growing so quickly.

Some insurers may also cap how much they will pay for ransomware losses, or even exclude them entirely. They may also increase the waiting periods before coverage begins to apply.

 

WHAT BUSINESSES CAN DO

To improve your chances of getting more favorable pricing and coverage, the report recommends that you focus on:

• Reducing the risk of cyber losses.
• Measures to keep data private.
• Building an internal culture of cybersecurity.
• Preparing for ransomware attacks and disaster recovery planning.
• How your contracts and insurance will respond to a supply chain security breach.
• Understanding primary and excess coverage terms and
  communicating primary terms to excess insurers.