AN ALLEGEDLY Chinese state-sponsored hacker campaign dubbed “Salt Typhoon” has infiltrated major cell phone providers, including AT&T and Verizon, potentially exposing your company’s communications to threat actors.
The attack has been described as the most significant telecommunications hack in U.S. history. While the breach is alarming for individuals, the implications for businesses are profound and demand immediate attention.

What is Salt Typhoon?

Salt Typhoon is a sophisticated cyber-espionage operation allegedly orchestrated by the Chinese government.
The campaign has targeted vulnerabilities in telecom providers’ infrastructure to access text messages, monitor communications, and extract sensitive metadata.
The ongoing breach has affected at least eight major U.S. telecom companies and poses a severe threat to national security and corporate privacy.

Government warning

In response to Salt Typhoon, the U.S. government recommended using end-to-end encrypted communication platforms.
Unlike standard text messaging or phone calls, end-to-end encryption ensures that only the sender and recipient can read the messages.

Protecting your firm

Some steps businesses can take include:

• Shifting internal and external communications to end-toend encrypted platforms such as Signal or WhatsApp, or enterprise solutions with encryption features.
• Avoiding using text-based, one-time passwords for authentication; instead, deploy hardware security keys or app-based authenticators.
• Updating systems regularly: Ensure all devices and software are updated to patch known vulnerabilities.
• Conducting regular training to educate employees about phishing, secure communications and device management.
• Limiting data access: Implement least-privilege access controls to restrict sensitive data to only those who need it.
• Regularly auditing your infrastructure for vulnerabilities.

 

 

THE NEWEST cyber and financial fraud threat facing businesses is deepfake technology, which criminals are using to extract money from unsuspecting accounts payable personnel.
A finance worker at a multinational company in Hong Kong was duped into transferring $25 million to criminals who had used deepfake technology to pose as the business’s chief financial officer during a video conference call, according to local police.

A deepfake is an artificial image or video generated by a special kind of machine learning called “deep” learning. The creations have grown increasingly sophisticated and harder to detect.

How it happened

The worker received an e-mail from what he thought was the company CFO, inviting him to attend a teleconference with him, other company executives, and staff, according to Hong Kong police. The digitally recreated version of the CFO then ordered money transfers during the video conference call.
Based on instructions the employee got during that call, they transferred 200 million Hong Kong dollars ($25.6 million) to various Hong Kong bank accounts in a series of transactions.
The employee did not interact with the deepfakes during the video conference, and he later told police that others on the call looked and sounded like people he knew in the organization.
In fact, all of the other people on the call were fakes of real people in the company. The criminals had used deepfake tech to alter publicly available video and footage found online to create convincing digital versions of the others in the meeting.
Police said that the case was one of several recent incidents in which criminals had used deepfake technology to change publicly available video and other footage to steal from people and companies.

Warning to US businesses

This type of attack is essentially an extension of the wire transfer fraud, a threat that’s been growing in recent years.
These scams usually start with e-mails or even phone calls from scammers posing as someone higher up in an organization, a client or vendor. The end goal is to convince an employee with access to the company’s payment systems to transfer funds to the criminals.
Deepfake technology adds a dangerous new arrow to wiretransfer fraud criminals’ quivers, making the scam even easier to fall for.
To avoid being victimized, the law firm of Fischer Phillips recommended in a November 2023 blog that businesses:

Provide deepfake training to staff. You should already be training and providing refresher meetings on preventing cyber attacks of all sorts. Consider educating them about the dangers of deepfakes and provide the Hong Kong case as an example. Cover ways to spot deepfakes, including:
• Blurry details,
• Irregular lighting,
• Unnatural eye and facial movements,
• Mismatched audio, and
• Absence of emotion.

Urge staff to be suspicious. Your employees should be able to comfortably question the legitimacy of information and be urged to report suspicious activity.
Use strong authentication protocols. Put in place robust measures — like multi-factor authentication and similar tools — for accessing sensitive information and systems.

Insurance coverage

If your organization has a cyber insurance policy, it might cover a wire transfer fraud loss. The coverage provided by cyber insurance can vary significantly between insurance companies and policies. Some cyber policies may explicitly cover wire fraud, while others require additional endorsements or riders to provide adequate protection.
A commercial crime policy will cover losses resulting from the use of a computer to fraudulently transfer funds from inside the business premises or the insured’s bank to an outside party.
However, policies may only offer coverage if an employee was fraudulently involved in the wire transfer fraud. This type of funds transfer fraud is basically the only computer-related coverage that a crime policy offers.

EFFORTS ARE afoot to create new laws and regulations that would require California employers to include the opioid overdose medication Narcan in their first aid kits. Cal/OSHA’s Standards Board has received a petition from a safety group asking it to create new regulations requiring workplaces to stock medications that can reverse opioid overdoses.

On the legislative front, two state assembly members have introduced bills that would require workplace first aid kits to include naloxone hydrochloride, the substance that can reverse overdoses.
More than 83,000 people died of an opioid overdose in 2022 in the U.S., including nearly 7,000 Californians, according to the Centers for Disease Control.
Naloxone, sold under the brand names Narcan and RiVive, is available in an over-the-counter nasal spray or as an injectable.
These medications temporarily reverse overdoses from prescription and illicit opioids, are not addictive, and are not harmful to people when administered.
In its Dec. 8 petition to Cal/OSHA’s Standards Board, the National Safety Council asked it to add naloxone to the list of required items in both construction sites as well as general industry workplaces.
“With the number of workplace overdose deaths on the rise, opioid overdose reversal medication is now an essential component of an adequate first-aid kit,” wrote Lorraine M. Martin, president and CEO of the NSC.

Legislation

Two bills are in play.
AB 1976: Authored by Assemblyman Matt Haney (D-San Francisco), this bill would require first aid kits on job sites to include Narcan. It would require the Standards Board to draft enabling regulations by Dec. 31, 2026.
AB 1996: Authored by Assemblyman Juan Alanis (D-Modesto), this measure would require operators of stadiums, concert venues and amusement parks to stock Narcan. It would not require Cal/OSHA to create new regulations as the measure is aimed at helping members of the public.

The takeaway

In light of the opioid overdose epidemic, more and more employers and operators of facilities that cater to the public have started stocking naloxone.
With opioid overdoses so prevalent in U.S. workplaces (18% in California alone), the simple addition of this over-the-counter medication can save the life of a worker.
Narcan is available for around $40 at most major retail pharmacies. It’s a simple and inexpensive addition to a first aid kit for any employer. It would be good practice to keep a pack in your safety kit… just in case.
Meanwhile, if any of the legislative and possible regulatory efforts become law or regulation, we’ll let you know.

FLEET OPERATORS face an increased risk of potential liability if they are not diligent about checking their drivers’ moving violation records with the state Department of Motor Vehicles, in addition to the Federal Motor Carrier Safety Administration’s Drug and Alcohol Clearinghouse.

As of 2020, it became mandatory that all motor carriers sign up their drivers in the Clearinghouse and run their driver rosters through the system to clear them for duty. But many companies are skipping this step and only checking their drivers’ records with the DMV, which may not reflect any suspensions issued by the Clearinghouse.

Clearinghouse rules require that drivers be tested for drugs prior to being hired and randomly throughout the year. This helps employers weed out drivers who may be at higher risk of both moving violations and accidents.

The Clearinghouse

The Clearinghouse was created to keep commercial drivers who have violated federal drug and alcohol rules from lying about those results and getting a job with another motor carrier.
This electronic database tracks commercial drivers’ license holders who have tested positive for prohibited drug or alcohol use, as well as refusals to take required drug tests, and other drug and alcohol violations.

The Clearinghouse tracks a driver’s drug and alcohol tests and bars them from operating commercial vehicles after they fail a test. If they want to return to driving, they must successfully pass a return-to-duty process that includes substance abuse treatment and a test to evaluate their readiness.

The restriction can be lifted if the driver signs up for a Clearinghouse program that will test them 14 times in two years, with the first 12 tests having to occur in the first year.
This cost all comes out of the driver’s pocket.
This system is an important check on drivers and helps employers reduce their exposure.
The Department of Motor Vehicles is required to check the Clearinghouse before issuing a new or renewing a commercial driver’s license.

The takeaway

While it is the law that employers follow Clearinghouse procedures, because it’s a new system, many companies are failing to follow the rules.
If you are relying only on pulling a driver’s moving violation record and not the Clearinghouse, you are in breach of regulations and could leave your firm exposed.
If you employ a driver who is under suspension from driving by the Clearinghouse and they are involved in an accident, the victims could build a case that your organization was negligent in letting the individual drive and not checking the Clearinghouse first.
If they can prove negligence on a fleet operator’s part, the business could be in for a hefty court judgment.

Cal OSHA has proposed its long-awaited indoor heat illness prevention standard as increasingly hot summers are affecting workers in indoor spaces like warehouses, production operations,
restaurants and more.
The proposed standard, largely based on the state agency’s outdoor regulations, will require employers whose workplaces at times are at least 82 degrees to have a written Indoor Heat Illness Prevention Plan.
The standard, once it takes effect, will affect employers throughout the state and many will have to take steps and invest in equipment and planning to ensure compliance. The preventative measure to which most employers will likely resort is air-conditioning.
The Standards Board wrote in its proposal, according to the Cal-OSHA Reporter trade publication: “There is likely to be a particular need to reduce temperatures in large warehouses, manufacturing and production facilities, greenhouses, and wholesale and retail distribution centers.”
Other facilities that would likely also need to install HVAC units include restaurant kitchens and dry cleaners. They may also need to improve air circulation in their operations.
Under the proposal, the following regulations apply to a workplace where the indoor temperature exceeds 82 degrees.

Access to drinking water

Employers are required to provide access to potable water that is fresh, suitably cool, and free of charge.
It must be located as close as practicable to the work area, as well as indoor cool-down areas where employees can rest. If an employer doesn’t provide water continuously, it will be required to provide at least one quart per hour per employee per shift.
Employers should encourage frequent water consumption.

Access to cool-down areas

Employers must provide at least one cool-down area during shifts, and grant a cool-down break to staff who ask for one.
Workers taking cool-down breaks shall be monitored and asked to stay in the area if they are experiencing heat illness symptoms. As long as symptoms persist, they may not be ordered back to the work they were doing.

Control measures

Employers can implement a number of measures to protect their workers:
Engineering controls – This can include barriers between heat sources and employees, isolating hot processes from workers, air-conditioning, cooling fans, mist fans, swamp coolers, ventilation, etc.
Administrative controls – This can include limiting exposure by adjusting work procedures, practices, or schedules (working during cooler periods, using work/rest schedules, or reducing the speed of work).
Personal heat-protective equipment – This could include water- and air-cooled garments, cooling vests, and more.

Emergency response procedures

Employers will need to develop and have in place emergency response procedures that workers and supervisors can follow in case they are experiencing heat illness.

Acclimation steps

Employees should be closely observed during heat waves, and new workers must be closely observed during their first 14 days of work to ensure they are acclimating.

Training

Employees and supervisors will need to be trained on:

• Personal risk factors for heat illness.
• Their employer’s procedures for complying with the regulation.
• The importance of frequent water consumption.
• The importance of acclimation.
• Signs and symptoms of heat illness, and first aid or emergency response procedures.

THE FEDERAL government is warning that a newly discovered computer software vulnerability poses a major threat to the security of computer networks around the country.

Cyber criminals are exploiting holes in open-source code software commonly used in computer applications, websites and cloud services, which can allow them to seize control of a business’s computer network if preventative measures are not taken.

This is not a threat that businesses should take lightly as it could cripple your organization if your network is affected. If your firm is large enough to have dedicated IT staff, it should be their focus now.

 

The danger

The vulnerability lies in the Log4j software library, written in the Java programming language and created by the Apache Software Foundation. Many software vendors incorporate the Log4j software library into products such as websites, applications and cloud services to record network security and performance information.

It is likely that some of the software your business uses is built around Log4j. It runs on everything from cloud services to business enterprise software to internetconnected devices such as security cameras.

The federal Department of Homeland Security, the National Security Agency and other agencies announced on December 10 that they were “responding to active, widespread exploitation” of the vulnerability.

They warned that, if a company’s software has this vulnerability, a criminal could take over the network and cripple the business.

 

VULNERABLE BRANDS
Software developed by these firms have the security hole:

• Microsoft

• McAfee

• Hewlett Packard

• IBM

• Red Hat

• Dell

• Cisco

• Adobe

• Salesforce

• Oracle

 

What you should do

Do not take this threat lightly. As stated above, if you have dedicated IT staff, make it their primary focus right now. Major software developers have  reported that their products have the vulnerability.

You can find the full list of affected vendors and software here. Apache has published three software patches to address the problem since it became known. Software developers who use Log4j are likely applying the patches and making updates to their software available to business users.
If you receive notification about an updated version of software you are using, it should be installed promptly.

Companies that do not have their own IT department, should contact computer network consultants as soon as possible to get advice on how to proceed.

The Cybersecurity & Infrastructure Security Agency has technical information on this threat on a dedicated website. IT experts should review the site’s content, take appropriate actions as soon as possible, and monitor the site for further updates to the situation.

In the meantime, system administrators should adjust logging system settings so it does not interpret data as computer code.

Antivirus software, using a virtual private network for remote access to the system, and being alert for phishing e-mails are also important protections. Sound network data security coupled with safe internet practices can protect your business’s systems and your ability to continue operating.

 

EVERY YEAR starts with a flurry of new laws and regulations that California employers have to contend with.
And 2022 is no different as the California legislature had a busy year and the stresses of the COVID-19 pandemic resulted in more activity. The end result is another round of new laws that employers need to stay on top of so they don’t run afoul of them.
With no further ado, here are the top regulations and laws affecting California businesses.

 

1. Big change to Cal/OSHA citations

SB 606 adds two new Cal/OSHA violation categories for purposes of citations and abatement orders: “enterprisewide” and “egregious” violations. Cal/OSHA can issue an enterprise-wide citation that would require abating the violation at all locations. And the employer can face a maximum penalty of $124,709 per violation.
The law also authorizes the agency to issue a citation for an egregious violation if it believes that an employer has “willfully and egregiously” violated a standard or order. Each instance of employee exposure to that violation will be considered a separate violation and fined accordingly.

 

2. Permanent COVID standard

On Sept. 17, 2021, Cal/OSHA released a draft text for proposed permanent COVID-19 regulations, which if adopted would be subject to renewal or expiration after two years and would replace the current emergency temporary standard, which is set to expire Jan. 14, 2022.
Adoption is expected in the spring of 2022. Here’s some of what the draft standard would do:

CDPH rules – It would require that employers follow California Department of Public Health COVID-19 prevention orders.
Masks for unvaxxed staff – Unvaccinated staff must wear masks. Employers must provide masks when the CDPH requires them.
Outbreak rules – During an outbreak in the workplace, all staff would be required to wear face coverings regardless of vaccination status. Employers would need to provide respirators during major outbreaks to all employees.

 

3. COVID exposure notification

On Oct. 5, 2021, AB 654 took effect, updating requirements for what an employer must do if there is an outbreak of COVID-19 cases at its worksites.
This law somewhat curtailed earlier outbreak-reporting requirements as well as other required notifications for certain employers, and updated several provisions of the 2020 outbreak notification law, AB 685.
Here are some highlights:

• Employers have one business day or 48 hours, whichever is later, to report a workplace COVID-19 outbreak to Cal/OSHA and local health authorities.
• Employers do not need to issue these notices on weekends and holidays.
• When an employer has multiple worksites, it only needs to notify employees who work at the same worksite as an employee who tests positive for  coronavirus.
• The new definition of “worksites” for the purposes of the law has been changed to exclude telework.

 

4. Expansion of the California Family Rights Act

AB 1033 expands the CFRA to allow employees to take family and medical leave to care for a parent-in-law with a serious health condition.
More importantly, it adds a requirement that mediation is a prerequisite if a small employer (one with between five and 19 workers) is the subject of a civil complaint filed by one of its employees.

 

5. Workplace settlement agreements and NDCs

A new law took effect Jan. 1 that bars employers from requiring non-disclosure clauses in settlement agreements involving workplace harassment or discrimination claims of all types. This builds on prior law that barred NDCs only in cases of sex discrimination or sexual harassment.
The new law expands that prohibition to all protected classes, such as: race, religion, disability, gender, age, and more.
One important note: While employees can’t be prohibited from discussing the facts of the case, employers can still use clauses that prohibit the disclosure of the amount paid to settle a claim.

 

6. OSHA vaccine mandate

As of this writing, Fed-OSHA’s new emergency COVID-19 standard was set to take effect on Jan. 1, with the most contentious part of the rule mandating that employees who work for employers with 100 or more staff be vaccinated or submit to weekly testing.
Unvaccinated workers would also be required to wear masks while on the job under the new rules, which have faced fierce challenges in courts.
The U.S. Court of Appeals for the Sixth District recently reversed a stay of the order as challenges to it are litigated, meaning the order can take effect as scheduled as the legal process challenging the rule proceeds.
The U.S. Supreme Court will hear expedited arguments Jan. 8 on the U.S. Court of Appeals for the Sixth Circuit’s decision to lift the Fifth Circuit’s stay.

 

7. Wage theft penalties

AB 1003, which took effect Jan. 1, added a new penalty to the California Penal Code: Grand Theft of Wages. The new law makes an employer’s intentional theft of wages (including tips) of more than $950 from one employee, or $2,350 for two or more workers, punishable as grand theft.
The law, which also applies to wage theft from independent contractors, allows for recovery of wages through a civil action.
As a result, employers (and potentially managers and business owners) would be exposed to both criminal and civil liability for wage and hour violations like failing to pay staff accurately and in a timely manner.
Review your compensation policies and practices to make sure you are in compliance with current wage and hour laws.

 

8. COVID cases may be included in X-Mods

The Workers’ Compensation Insurance Rating Bureau of California has proposed plans to start requiring COVID-19 claims to be included when calculating employers’ X-Mods.
The proposal, which would have to be approved by the state insurance commissioner, would bring to an end current rules that exclude the impact of COVID-19 workers’ compensation claims on X-Mods.
If approved, the new rule would take effect on Sept. 1, 2022. That means that employers will be held accountable for COVID19-related workers’ compensation claims and, if any employee needs treatment or dies from the coronavirus, it could result in higher premiums in the future.

 

9. Notices can be e-mailed

A new state law authorizes employers to distribute required posters and notices to employees via e-mail. SB 657 adds e-mail as a delivery option to the list of acceptable notification methods, which also includes mail.
Required posters and notices will still need to be physically posted in the workplace.

 

10. Warehouse quota rules

A new law that took effect Jan. 1 makes California the first (and only) state to regulate quotas used by warehouse employers.
While the bill was written with Amazon Inc. in mind, it affects all warehouses with 100 or more workers, and violations of the new law can be costly for an employer.
Under AB 701, warehouse employees must be provided with a written description of the quotas to which they are subject within 30 days of hire. Common quotas include the number of tasks the employee is required to perform, the materials to be produced or handled, and any adverse employment action that may result from a failure to meet the quota.

 

While employers may still implement quotas, employees are not required to meet a quota if it:

• Prevents them from taking required meal or rest periods,
• Prevents them from using the bathroom (including the time it takes to walk to and from the toilet), or
• Contravenes occupational health and safety laws. The law also bars employers from discriminating, retaliating or taking other adverse action against an employee who:
• Initiates a request for information about a quota or personal work-speed data, or
• Files a complaint alleging a quota violated the Labor Code.

 

AS THE CONSTRUCTION industry booms, contractors face evolving risks that, left unchecked, can leave their operation exposed to new liabilities.
If you already operate a construction firm, you know that there is a labor shortage that has made it difficult to find experienced workers and that hiring entities are asking builders to take on more of the design function, as well.
Your liability picture has also likely changed with the increasing use of wrap-ups and, if you’re using technology in your operation, you now have rising cyber-security risks, too.

Lack of qualified workers

The bottom fell out of the construction industry in the U.S. during the first few months of the COVID-19 pandemic, and many worksites were idled. Now that the industry has found its footing, it’s been dealing with a severe labor shortage.
As construction firms struggle to find workers, the ones who are on the job are having to take on larger workloads, which can put them at risk of injury or making mistakes.
Also, many contractors are having to take on younger, less-seasoned laborers, who may lack the experience to identify and avoid hazards, which puts them and others at risk of injury. Those injuries in turn affect your workers’ comp
premiums.
A lack of workers coupled with inexperienced new ones on sites can also end up drawing out projects, forcing contractors to miss deadlines.

Professional liability risks

As more project owners want an all-in-one job with the lead contractor designing and building the project, contractors now face a new type of risk: professional liability.

But the typical contractor’s insurance policy doesn’t provide protection for any design work you take on.
Courts have ruled that:

• Designers who perform “builder activities” lose limitation of liability typically enjoyed by design professionals.
• Builders who perform “design activities” assume responsibility for design deficiencies.

Wrap-ups more prevalent

Many construction projects are now covered under one general liability policy to cover the work of the general contractor, as well as of all the subs. More lenders are requiring that liability is set up in one all-encompassing policy.
A properly assembled general liability wrap-up should provide coverage not only during the construction period, but also up to 10 years after the work is completed.  These policies often reduce the cost of coverage.

More cyber-security risks

Like all industries, the construction sector has grown increasingly reliant on technology to get the job done. That exposes contractors to a variety of cyber risks, including keeping project designs, client records and employee records confidential.
Many building contracts today include clauses requiring the contractor to be responsible for potential cyber breaches.
Given the increasing popularity of practices such as “building information modeling,” “integrated project delivery,” and file-sharing between participants in a construction project, contractors may be at increased risk of liability in the event of a data breach.

BUSINESS COMPROMISE scams that use both technology and a human touch to steal funds from businesses are growing as criminals engage in social engineering tactics to dupe unsuspecting employees.

Businesses have lost millions of dollars to social engineering scams, where attackers impersonate a company president or executive who is authorized to approve wire transfers to trick employees into transferring funds into a fake client or vendor account.

According to the FBI’s Internet Crime Complaint Center, in 2019 U.S. businesses were hit with an estimated 23,775 e-mail compromise scams that
resulted in aggregate losses of $1.7 billion. Figures for 2020 are not yet available.

Vishing – or voice phishing – attacks have been growing. The FBI in January warned of an increase in vishing attacks targeting employees working remotely in the COVID-19 pandemic, and of the heightened risks companies face when network access and broadening of online privileges may not be fully monitored.

 

How to train employees

Providing practical employee phishing training is key to keeping your company safe. The following are activities and tips to help you train employees to stay vigilant.

Remote workers should be vigilant in checking internet addresses, more suspicious of unsolicited phone calls, and more assertive in verifying the caller’s identity with the company, the FBI recommends.

When training staff, you should:

• Explain what vishing and phishing is, how it happens, and what risks it poses on a personal and company level.
• Explain the different types of phishing attacks.
• Train your workers in identifying signs of phishing attacks, like e-mails with poor spelling and grammar, incorrect e-mail addresses (for example BobS@ Startbucks.com), and fraudulent URLs.
• Train your staff in recognizing phishing links, phishing attachments, and spoofed e-mails. Additionally, your employees should know what steps to take after they identify a threat.
• Conduct simulations that send employees fake phishing e-mails. The results should be shared with them to show how they fell for the scam and the damage that being duped into clicking on a malicious link can cause.

 

Insurance

As vishing and business e-mail compromise scams increase, more employers are seeking to add coverage in their commercial crime policies.
Typically, these policies have been used to cover losses for internal theft, but lately, about 50% of claims are for losses related to phishing and fishing scams.
The price of social engineering coverage varies by risk and limit, but it can often be added to a crime policy as a rider.
One thing though: social engineering coverage will often have lower limits than a typical commercial crime policy. This is because of the risk of much larger financial losses than a company could expect from internal theft or white-collar crime perpetrated by an employee.

 

ADVICE FROM THE FBI

• Consider instituting a formal process for validating the identity of employees who call each other.
• Restrict VPN connections to managed devices only (meaning not on employees’ personal devices).
• Restrict VPN access hours.
• Employ domain monitoring to track the creation of or changes to corporate brand-name domains.

CYBER INSURANCE rates are going to increase dramatically in 2021, driven by more frequent and more severe insured losses, according to a recent industry study.

The report by global insurance firm Aon plc predicted that rates would jump by 20% to 50% this year due to two main factors:

 

1. Cyber attacks are becoming more frequent

While publicly disclosed data breach/privacy incidents are actually occurring less often, ransomware attacks are exploding in frequency.

Ransomware incident rates rose 486% from the first quarter of 2018 to the fourth quarter of 2020. The comparable rate for data breach incidents fell 57% during the same period. The incident rates for the two types of events combined rose 300% over the trailing two years.

 

2. The costs of these attacks are growing

The average dollar loss increased in every quarter of 2020. Ransomware attacks were particularly severe – many of them resulted in eight-figure losses. Others may grow to that level as business interruption losses are adjusted and lawsuits against insured organizations proceed.

The combination of more frequent and more costly losses is a
recipe for higher rates.

Cyber insurance rates continued increasing in 2020, with rises of between 6% and 16% in the last four months of the year. In January 2021, most of the top 12 cyber insurance companies told Aon they were planning more drastic rate hikes. Nearly 60% reported that they would be seeking rate increases of 30% or more during the second quarter. None of them expected increases less than 10%.

 

New underwriting criteria

When insurers evaluate cyber insurance applicants, they will be particularly concerned with the organization’s overall cyber risk profile, its cyber governance and access control practices, and its network and data security. Prior loss history will be less important because the frequency of attacks is growing so quickly.

Some insurers may also cap how much they will pay for ransomware losses, or even exclude them entirely. They may also increase the waiting periods before coverage begins to apply.

 

WHAT BUSINESSES CAN DO

To improve your chances of getting more favorable pricing and coverage, the report recommends that you focus on:

• Reducing the risk of cyber losses.
• Measures to keep data private.
• Building an internal culture of cybersecurity.
• Preparing for ransomware attacks and disaster recovery planning.
• How your contracts and insurance will respond to a supply chain security breach.
• Understanding primary and excess coverage terms and
  communicating primary terms to excess insurers.