Small and mid-sized businesses are increasingly bearing the burden of cyber threats, as criminals are betting they do not have the resources in place to mount a strong defense. A severe attack on a small company can incapacitate its ability to do business, and the expenses of getting operations back on track – coupled with loss of goodwill – can easily force a firm into bankruptcy.
Unfortunately, with more data breaches hitting the news, one of the main concerns that executives have is if their insurance will cover the costs of recovering from an attack.

If you are running a small or mid-sized company, do not underestimate the growing threat to your business. Your chief priorities should be protecting against the threat and having proper insurance coverage in place.

TOP REASONS FOR CYBER LOSSES

• Malicious breaches resulting in data losses: 52%
• Unintentional data disclosure by staff: 16%
• Physical loss or theft of data: 13%
• Network or website disruptions: 5%
• Phishing, spoofing and social engineering: 5%
• Other: 9%
Source: Advisen and Nationwide Insurance Co.

Insurance concerns

One of the chief concerns for executives is any overlap or gaps between their property, liability, crime and cyber policies when it comes to covering the costs of recovering from an attack, according to a report by insurance news website Advisen and Nationwide Insurance. Some companies feel they don’t need cyber coverage because they believe their property and liability policies will cover any related losses.

EXECUTIVES’ INSURANCE WORRIES

• 95% of respondents named data breach as the number-one risk they expect to be covered by a cyber insurance policy.
• 94.5% said they expect cyber-related business interruption to be covered by a cyber policy.
• 89% said they expect their cyber policy to cover ransom demands.
• 36% said they have cyber-related property damage/bodily injury coverage under another policy, reflecting the belief that some coverage for cyber-related losses can be found under traditional policies.
• 60% of respondents said they are concerned about perceived gaps and overlaps in their insurance coverage.
• 53% of respondents said coverage for funds-transfer losses should be found under the crime policy, but also stated they would like to be able to recover under both crime and cyber policies – or have separate policies with higher limits.

The takeaway

Since cyber insurance is a new and evolving product, all policies do not cover the same thing. That’s why it’s important to weigh your choices carefully and consult with us. While the cyber threat grows, more insurers are changing language in their property and liability policies to limit coverage of cyber events. Because of the high costs associated with a data loss, more
executives want to see higher limits for business interruption coverage on their cyber stand-alone policies.

This market demand may drive insurers to refine their cyber insurance policies, including increasing cyber-related business interruption limits, according to the Advisen report. To find the best coverage for your business, please talk to us. We can help you evaluate your risks and coverages and identify any gaps by looking at your existing policies.

The new decade is starting off with a tsunami of new laws and regulations that will affect California businesses. Companies operating in California will have to be prepared for significant changes or open themselves up to potential litigation, fines, and other risks.

Here’s what you need to know coming into the new year:

1. AB 5

The controversial AB 5 creates a more stringent test for determining who is an independent contractor or employee in
California.  Known as the “ABC test,” the standard requires companies to prove that people working for them as independent contractors are:

A) Free from the firm’s control when working;
B) Doing work that falls outside the company’s normal business; and
C) Operating an independent business or trade beyond the job for which they were hired.

Legal experts recommend that employers:

• Perform a worker classification audit, and review all contracts with personnel.
• Notify any state agencies about corrections and changes to a
worker’s status.
• Discuss with legal counsel whether they should now also include them as employees for the purposes of payroll taxes, workers’ compensation insurance, federal income tax withholding, and FICA payment and withholding.

2. Wildfire safety regulations

Cal/OSHA issued emergency regulations that require employers of outdoor workers to take protective measures, including providing respiratory equipment, when air quality is significantly affected by wildfires. Under the new regs, when the Air Quality Index (AQI) for particulate matter 2.5 is more than 150, employers with workers who are outdoors are required to comply with the new rules. These include providing workers with protection like respirators, changing work schedules or moving them to a safe location.

3. Arbitration agreements

Starting Jan. 1, the state will bar almost all employee arbitration agreements. AB 51 bars employers from requiring
applicants, employees and independent contractors to sign mandatory arbitration agreements and waive rights to filing
lawsuits if they lodge a complaint for discrimination, harassment, wage and hour issues. Businesses groups sued to overturn the law on the grounds that it is preempted by the Federal Arbitration Act.

4. Overtime rules

New federal overtime regulations are taking effect for non-exempt workers. Under the new rule, employers will be required to pay overtime to certain salaried workers who make less than $684 per week – or $35,568 per year – up from the current threshold of $455, or $23,660 in annual salary.

5. Consumer privacy

Starting Jan. 1, under the California Consumer Protection Act, businesses that keep personal data of residents are required to safeguard that information and inform website users how their personal data may be used. The law applies to firms with $25 million or more in annual revenues or those that sell personal information as part of their business.

6. Return of the individual mandate

A new law brings back the individual mandate requiring Californians at least to secure health insurance coverage or face tax penalties. This comes after the penalties for not abiding by the Affordable Care Act’s individual mandate were abolished by Congress in late 2017. Starting in 2020, California residents are required to have health insurance or pay excess taxes. This will affect any of your staff who have opted out of your group health plan as it may mean they are going without coverage, unless they have opted to be covered by their spouse’s plan. If you have staff who didn’t enroll in your plan for 2020, they may have to wait until your group’s next open enrollment at the end of the year. That could force them to pay tax penalties.

7. New audit, X-Mod thresholds

The threshold for physical workers’ compensation audits for California policies incepting on or after Jan. 1 is $10,500 in annual premium, a drop from $13,000. This means that any employer with an annual workers’ comp premium of $10,500 or more will be subject to a physical audit at least once a year. On top of that, the threshold for experience rating (to have an X-Mod) has also fallen – to $9,700 in annual premium as of Jan. 1, from $10,000.

8. Harassment training partly pushed back

Employers with five or more workers were required to conduct sexual harassment prevention training for their staff by the end of 2019 under a California law passed in 2018. A new law extends the compliance deadline for some employers who had already conducted training prior to 2019. The original law, SB 1343, required all employers with five or more staff to conduct sexual harassment prevention training to their employees before Jan. 1, 2020 – and every two years after that. If you have never trained your staff, you should have done so in 2019.

But if you have, here are the new rules:
• If you trained your staff in 2019, you aren’t required to provide refresher training until two years from the time the employee was trained.
• If you trained your staff in 2018, you can maintain the two-year cycle and comply with the new Jan. 1, 2021 deadline. You did not have to repeat the training in 2019.

9. Hairstyle discrimination

A new law makes it illegal for employers to discriminate against employees and job applicants based on their hairstyle if it is part of their racial makeup. The CROWN Act (Create a Respectful and Open Workplace for Natural Hair), defines race or ethnicity as “inclusive of traits historically associated with race, including, but not limited to hair texture and protective hairstyles like braids, locks, and twists.” This new definition of race means that natural hair traits fall under the context of racial discrimination in housing, employment and school matters.

10. Reporting serious injuries

A new law broadens the scope of what will be classified as a serious illness or injury which regulations require employers to report to Cal/OSHA “immediately.” The new rules being implemented by AB 1805 are designed to bring California’s rules more in line with Federal OSHA’s regulations for reporting. It will mean that some injuries that were not reportable before will be, such as:
• Any inpatient hospitalization for treatment of a workplace injury or illness will need to be reported to Cal/OSHA.
• An inpatient hospitalization must be required for something “other than medical observation or diagnostic testing.”
• Employers will need to report any “amputation” to Cal/OSHA. This replaces the terminology “loss of member.” Even if the tip of a finger is cut off, it’s considered an amputation. As of yet, there is no effective date for this new law, as enabling regulations have to be written – a process that will start this year.

Governor Gavin  Newsom has signed a bill into law that will codify a court ruling from last year that set new ground rules for what constitutes an independent contractor, and which expands on that ruling.

There’s been a lot written in the media about the law, AB 5, and much of it misses the point. Some news reports have said it will spell the end of independent contractors in the state and that anyone a company hires to do a temporary job on contract must be treated as an employee.

Now that AB 5 is the law, state and federal labor laws will apply to independent contractors who have to be reclassified as employees.  That means they would be afforded all of the associated worker protections, from overtime pay and minimum wages to the right to unionize. Employers would have to cover them under their workers’ comp policies, and extend benefits to them as they do to other employees. The law also gives the state and cities the right to sue employers over misclassification.

AB 5 codifies and expands on a 2018 California Supreme Court decision that adopted a strict, three-part standard for determining whether workers should be treated as employees. Known as the “ABC test,” the standard requires firms to prove that people working for them as independent contractors meet certain standards:

THE ABC TEST
A) Must be free from the company’s control when they’re on the job;
B) Must be doing work that falls outside the company’s normal business; and
C) Must be operating an independent business or trade beyond the job for which they were hired.

 

The first prong aligns with the common-law test for employment and evaluates the degree of control exercised by the company over the worker.

The second prong examines whether the worker can reasonably be viewed as working in the hiring company’s business.

The third prong inquires whether the worker independently made the decision to go into business. The fact that the hiring company does not prohibit the worker’s engagement in such an independent business is not sufficient.

 

Occupations exempted include:

• Doctors
• Some licensed professionals (lawyers, architects, engineers)
• Accountants, securities broker-dealers, investment advisors
• Real estate agents
• Direct sales (compensation must be based on actual sales)
• Builders and contractors (who work for construction firms that build major infrastructure projects and large buildings)
• Freelance writers, photographers (provided the worker contributes no more than 35 submissions to an outlet in a year)
• Hairstylists, barbers (must set their own rates and schedule)
• Estheticians, electrologists, manicurists (must be licensed)
• Tutors (must teach their own curriculum)
• AAA-affiliated tow truck drivers. 

 

What employers should do

Legal experts recommend that employers:
• Perform a worker classification audit, and especially review all contracts with personnel.
• Determine which benefits and protections should be provided to any workers who are reclassified from  independent contractor to employee (think health insurance and other benefits).
• Notify any state agencies about changes to a worker’s status.
• Discuss with legal counsel whether you should also include a worker as an employee for the purposes of payroll taxes, workers’ comp insurance, federal income tax withholding,  ICA payment and withholding.

 

Note: Federal law remains unchanged. The IRS and National Labor Relations Board have their own independent contractor tests.

RISK MANAGEMENT – Even Small Firms Need a Crisis Management Plan

With risks to companies and employees growing, sometimes the unthinkable happens and a business has a real crisis on its hands. While large companies are usually well-prepared for a crisis should one occur, most small and mid-sized firms don’t have the resources or have not put much thought into how they would handle a crisis.

One of the most difficult parts of crisis planning is just what to prepare for, since a crisis could be a number of different events, like:
• The sudden death of a key member of your team.
• A defective product leads to an injury, illness – or worse.
• An accident severely maims or kills a number of your workers.

Your strategy

To get started, assemble a team that includes key members from your organization who will be responsible for creating your crisis-response plan. INC. Magazine recommends the following for your team:
Make a plan – You cannot start planning without first identifying your objectives. Once you identify them, you can make response plans for each type of event. Typically, that includes:
• Safeguarding any person (employee, vendor, customer and/ or the public) who may be affected by the crisis. Your plan would include how to respond to the crisis if people’s health and wellness are at stake.
• Making sure the organization survives. This would include steps you would take to ensure the company can continue as a going concern after a significant disruption.
• Keeping stakeholders (employees, vendors, clients, the public and government) informed on developments.

Create a succession plan – You should clearly outline the necessary steps to follow if you or one of your key managers suddenly became unable to perform their duties. This plan may include selling the company, or transferring ownership to family members or key employees.
Seek advice from the experts – This includes your leadership team, employees, customers, communications experts, investment bankers, exit planners, lawyers and financial managers. Each of these individuals has unique insights that can be invaluable for how to tackle a crisis.
Name a spokesperson – This is important if you have a crisis that spreads beyond your organization and affects the health and safety of a member of the general public, your staff or customers. Funneling all media communications through a spokesperson can help you deliver a clear and consistent message to media, as well as to the public at large.
Honesty is the best policy – A lack of honesty and transparency can lead to rumors, as well as a general distrust of your organization if the truth is exposed. The best approach is to be transparent and truthful about what happened and what you are doing to resolve the crisis.
Keep your staff up to speed – To stop the rumor mill and also keep employees from becoming worried amidst the uncertainty, keep your workers abreast of developments – and what the crisis means for the organization, and what you are doing about it.
Keep customers and suppliers informed – If you have an event that’s causing some disruptions, you also owe it to your clients and vendors to let them know what’s happening. Like your employees, keep them regularly updated on events and the steps you are taking to address the crisis. Put together a plan for how you would keep them posted.
Act fast and update regularly – Keeping the communications alive is important and once you grasp the situation and its effects, you can issue summary statements of the crisis and what’s happened. Then you can follow up with regular updates on your action plans, on people affected, any hotline you may set up, and more.
These days news travels fast and like wildfire on social media. You need to move at the same pace.
Social media is vital – More and more people get their news from social media and the discussions that ensue on posts, so you need to make sure that your company stays on top of the flow. You may want to assign a person or two to monitor social media and post and react to posts on social media. That way, your team can tell the company’s side of the story and put to rest unfounded rumors.
Make a plan for what a social media contact’s responsibilities would be during a crisis.

Get an early start

Your plan won’t be effective if you create it during a crisis. Plan in advance, so everyone can approach the strategizing unrushed and with a clear head.

As CYBER scams and hacker attacks grow, the insurance industry has been frantically trying to keep up in providing appropriate coverage for these events. Hacks, viruses, ransomware and exposure of sensitive personal information of your customers or employees, and any resulting regulatory implications, are often covered by cyber liability insurance. But what about the recent trend of criminals spoofing a company executive’s e-mail address, posing as them and ordering accounts payable to cut a check and send it to the fraudsters?

Well, two firms suffered similar incidents, but different federal appeals courts issued opposite opinions – one saying that a crime insurance policy covered the event, while the other court said it didn’t. The fact that two courts came out with two different rulings illustrates how many traditional and even cyber policies are slow to keep up with evolving hi-tech threats to businesses. The devil is always in the details, so read your policies and discuss your concerns with us.

The number of business e-mail compromise scams quadrupled in 2017, and losses averaged $352,000 per business and topped out at $3 million, according to an analysis of insurer Beazley’s clients. The FBI says these schemes are one of the fastest-growing cybercrimes.

Court case one: Covered

Employees of Medidata, a clinical-trial software firm, wired $4.7 million for what they thought was for an acquisition by their employer. They were sent a series of fraudulent e-mails that they thought were from their company president and the firm’s outside lawyer.

The company didn’t have a cyber insurance policy, but it had an executive protection policy, which had a crime section that included coverage for computer fraud, funds transfer fraud and
forgery. The insurer rejected the claim and the firm sued in federal court. The lower court ruled in favor of the insurer, but upon appeal, the federal appeals court ruled that the policy did in fact cover the loss.

The insurer argued the policy applies to only hacking-type intrusions. The appeals court found that while no hacking occurred, fraudsters inserted spoofing code into the firm’s e-mail system, which the court said is part of the computer system. The court held that the insurer must pay under the computer fraud portion of its policy.

Court case two: Not covered

A federal district court found no crime policy coverage after a Michigan tool and die firm wired $800,000 in funds to a fraudster’s account in the belief the account belonged to one of its vendors. The insurer faulted the company for not verifying the bank account with the vendor. The district court agreed with the insurer that the loss was not a “direct loss” caused by the “use of a computer,” and thus the crime policy did not apply.

The takeaway

Computer fraud is evolving rapidly, so it’s important that you talk to us about the types of fraud that appear in the news. We will work with you to ensure that your coverage is forward-looking and covering more than just threats from last year. We can also discuss with you how computer fraud coverage interacts with other types of cybercrime policies.

The Workers’ Compensation Insurance Rating Bureau of California will recommend dual-wage threshold changes to a number of construction classifications for the 2020 workers’ compensation policy year.

The Rating Bureau will make the recommendations to the Department of Insurance during its annual rate filing in June. The recommendations would have to be approved by the state insurance commissioner.

While most workers’ compensation classes have one rate, in some classes the difference in claims costs between high- and lower-wage workers is so great that a dual-wage classification is needed. In those cases, the workers above the threshold rate are assigned one rate, while those below that threshold are assigned a higher rate. This is usually because the higher-wage workers are generally more experienced and tend to suffer fewer workplace injuries compared to those below the threshold.

There are 18 dual-wage classes, but not all of them are in line for changes. Opposite is the list of changes the Rating Bureau plans to recommend in its rate filing.

 

Business Interruption Coverage Can Cover Lost Income

PG&E has warned California residents and businesses that it may shut down the power grid for as long as five days for large portions of the state when there are high-wind conditions during the dry fire season. That’s because PG&E’s infrastructure was found to be the cause of several recent wildfires.

PG&E sent letters to customers informing them that “if extreme fire danger conditions threaten a portion of the electric system serving your community, it will be necessary for us to turn off electricity in the interest of public safety.”  With the specter of multiple-day power outages, businesses need to be prepared for keeping their operations going and preventing losses that may not be covered by insurance.

Just think how difficult it would be if you lost access to your computers, which are the nervous system of any business today. If you have no power, your operations could be shuttered for all intents and purposes.
There a number of steps you can take to make sure your business is resilient and can keep functioning during power outages, especially if they last a few days:

Identify vital business functions

Identify business processes that will be affected by a power outage. These processes will differ from business to business, but once you put them all down on paper, it will be easier for  you to make a plan to keep them going.

Create a continuity plan

Once you’ve identified those processes, you should brainstorm on how you can keep them going without your regular power supply.

• Create a plan outlining how employees should respond to the power outage.
• Post emergency numbers on sight for employees to call, including your electricity supplier to get an estimate on when power may be restored.

Back-up power a must

Consider investing in a back-up generator that can keep the critical functions of your firm going during a power outage. Generators need to be used with adequate ventilation to avoid risk of carbon monoxide poisoning. Never plug generators directly into power outlets. Never use a generator under wet conditions, and let it cool off before refueling.

Cloud storage and MiFi

If you have not done so, you should secure a means of paperless document and file storage on the cloud. If there is a power outage and an accompanying surge, you could quickly lose your data. Plan ahead with a cloud server.

You should also prepare a system of personal wireless hotspots, or MiFi devices, so that even when the internet goes down, you can finish important tasks requiring web access, such as setting up an e-mail auto-response.

Consider business interruption coverage

The best way to minimize the financial blow is to have the
proper insurance in place. A multiple-day power outage could really crimp your income stream and, if you lose money due to your inability to operate, the typical business owner’s policy won’t cover lost revenue.

But, a business interruption policy would. These policies will reimburse you for lost revenues due to a number of events, including “service interruption” due to power outages and other utility services interruptions.

The important caveat is that the interruption was not caused by any of your own faulty equipment or wiring. But if the power company is shutting down power, any losses you incur should be a valid claim.

With risks to companies and employees growing, sometimes the unthinkable happens and a business has a real crisis on its hands. While large companies are usually well-prepared for a crisis should one occur, most small and mid-sized firms don’t have the resources or have not put much thought into how they would handle a crisis.
One of the most difficult parts of crisis planning is just what to prepare for, since a crisis could be a number of different  events, like:

• The sudden death of a key member of your team.
• A defective product leads to an injury, illness – or worse.
• An accident severely maims or kills a number of your workers.

Your strategy

To get started, assemble a team that includes key members from your organization who will be responsible for creating your crisis-response plan. Inc. Magazine recommends the following for your team:

Make a plan – You cannot start planning without first identifying your objectives. Once you identify them, you can make response plans for each type of event. Typically, that includes:

• Safeguarding any person (employee, vendor, customer and/ or the public) who may be affected by the crisis. Your plan would include how to respond to the crisis if people’s health and wellness are at stake.
• Making sure the organization survives. This would include steps you would take to ensure the company can continue as a going concern after a significant disruption.
• Keeping stakeholders (employees, vendors, clients, the public and government) informed on developments.

Create a succession plan – You should clearly outline the necessary steps to follow if you or one of your key managers suddenly became unable to perform their duties. This plan may include selling the company, or transferring ownership to family members or key employees. Seek advice from the experts – This includes your leadership team,  employees, customers, communications experts, investment bankers, exit planners, lawyers and financial managers. Each of these individuals has unique insights that can be invaluable for how to tackle a crisis.

Name a spokesperson – This is important if you have a crisis that spreads beyond your organization and affects the health and safety of a member of the general public, your staff or customers. Funneling all media communications through a spokesperson can help you deliver a clear and consistent message to media, as well as to the public at large.

Honesty is the best policy – A lack of honesty and transparency can lead to rumors, as well as a general
distrust of your organization if the truth is exposed. The best approach is to be transparent and truthful about what happened and what you are doing to resolve the crisis.

Keep your staff up to speed – To stop the rumor mill and also keep employees from becoming worried amidst the uncertainty, keep your workers abreast of developments – and what the crisis means for the organization, and what you are doing about it.

Keep customers and suppliers informed – If you have an event that’s causing some disruptions, you also owe it to your clients and vendors to let them know what’s happening. Like your employees, keep them regularly updated on events and the steps you are taking to address the crisis. Put together a plan for how you would keep them posted.

Act fast and update regularly – Keeping the communications alive is important and once you grasp the  situation and its effects, you can issue summary statements of the crisis and what’s happened. Then you can follow up with regular updates on your action plans, on people affected, any hotline you may set up, and more. These days news travels fast and like wildfire on social media. You need to move at the same pace.

Social media is vital – More and more people get their news from social media and the discussions that ensure on  posts, so you need to make sure that your company stays on top of the flow. You may want to assign a person or two to monitor social media and post and react to posts on social media. That way, your team can tell the company’s side of the story and put to rest unfounded rumors.

Make a plan for what a social media contact’s responsibilities would be during a crisis. Get an early start Your plan won’t be effective if you create it during a crisis. Plan in advance, so everyone can approach the strategizing unrushed and with a clear head.

More and more employers are banning cell phones in the workplace because they are distracting enough to be a serious safety issue for workers.

Most notably, General Motors has banned all employees, including its CEO, from walking around with their mobile phones while talking, texting or using other smartphone functions.
You already know the dangers of using your phone while behind the wheel, as vehicular deaths have spiked since the ubiquity of smartphones. But in many workplaces – think  warehouses, construction sites, factories and other worksites with equipment and inventory – the distraction of a smartphone can have deadly consequences. In busy workplaces, safety should be your primary concern. Consider the following:

Industrial machinery and phones don’t mix

OSHA bars the use of cell phones in construction regulations  pertaining to cranes and derricks, but the hazard exists across any dangerous equipment.
Some workers should absolutely not have their mobile phones on and within reach, such as powered industrial truck operators, forklift drivers and machinery users. If you have any of these among your workforce, you should strictly ban the use of mobile phones in any capacity during the use of industrial equipment.

You may consider extending the ban to include all of the other employees who regularly work around that equipment, particularly when they are walking or moving product to and from the warehouse. Also, if any staff from your office are in the work area, they too should refrain from using their phones while walking.

The biggest dangers

The best way to prevent workplace injuries is for employees to be aware of their surroundings. When people are using cell phones in an operational environment, it impedes their ability to recognize and react to hazards, particularly moving equipment like forklifts.
The biggest concern is people who are in the middle of writing long messages and engaging with others on social media or texting. Many of these apps have been shown to greatly reduce the user’s awareness of the real world around them.
There are many instances in which workers cause traumatic injuries or even death to themselves or others due to cell phone distractions that could have easily been prevented.

Potential property damage

Distracted cell phone usage is known to cause workers to accidentally misuse equipment or machinery, which can result in either small or serious damage to company property. Also, having a cell phone around hazardous chemicals or waste can pose a serious threat to the health and safety of all workers in the vicinity, in addition to property damage. Furthermore, the cost of replacing damaged property can have a major financial impact on your organization and possibly be at your expense.

WHAT YOU CAN DO

Create a policy that explicitly explains when and where  employees may use their mobile phones while on the job.  Some companies ban cell phones altogether, particularly call centers where employees’ devices are collected at the beginning of the day and kept in lockers until breaks. Consider the following for your rules:

• Mobile phones are barred for employees when performing on-site job-related tasks.
• Answering calls, texting, checking social media or using the Internet are all activities that fall under dangerous cell phone usage.
• Set parameters for when and where employees are allowed to use their phones.
• Consider restricting types of media and videos.
• Hold employees accountable to productivity levels. Note that time spent on the phone on personal matters is keeping them from focusing on their jobs.

As cyber scams and hacker attacks grow, the insurance industry has been frantically trying to keep up in providing appropriate coverage for these events.

Hacks, viruses, ransomware and exposure of sensitive personal information of your customers or employees, and any resulting regulatory implications, are often covered by cyber liability insurance. But what about the recent trend of criminals spoofing a company executive’s e-mail address, posing as them and ordering accounts payable to cut a check and send it to the fraudsters?

Well, two firms suffered similar incidents, but different federal appeals courts issued opposite opinions – one saying that a crime insurance policy covered the event, while the other court said it didn’t.

The fact that two courts came out with two different rulings illustrates how many traditional and even cyber policies are slow to keep up with evolving hi-tech threats to businesses. The devil is always in the details, so read your policies and discuss your concerns with us.

The number of business e-mail compromise scams quadrupled in 2017, and losses averaged $352,000 per business and topped out at $3 million, according to an analysis of insurer Beazley’s clients. The FBI says these schemes are one of the fastest-growing cyber crimes.

Court case one: Covered
Employees of Medidata, a clinical-trial software firm, wired $4.7 million for what they thought was for an acquisition by their employer. They were sent a series of fraudulent e-mails that they thought were from their company president and the firm’s outside lawyer.

The company didn’t have a cyber insurance policy, but it had an executive protection policy, which had a crime section that included coverage for computer fraud, funds-transfer fraud and forgery.

The insurer rejected the claim and the firm sued in federal court. The lower court ruled in favor of the insurer, but
upon appeal the federal appeals court ruled that the policy did in fact cover the loss.

The insurer argued the policy applies to only hacking-type intrusions. The appeals court found that while no hacking occurred, fraudsters inserted spoofing code into firm’s e-mail system, which the court said is part of the computer system. The court held that the insurer must pay under the computer fraud portion of its policy.

Court case two: Not covered
A federal district court found no crime policy coverage after a Michigan tool and die firm wired $800,000 in funds to a fraudster’s account in the belief the account belonged to one of its vendors.

The insurer faulted the company for not verifying the bank account with the vendor. The district court agreed with the insurer that the loss was not a “direct loss” caused by the “use of a computer,” and thus the crime policy did not apply.

The takeaway
Computer fraud is evolving rapidly, so it’s important that you talk to us about the types of fraud that appear in the news. We will work with you to ensure that your coverage is forwardlooking and covering more than just threats from last year. We can also discuss with you how computer fraud  coverage interacts with other types of cyber crime policies.