Is Cyber Insurance Right for Your Business?

Posted on October 18, 2019 by Marijana Dabic

Have you considered cyber insurance for your business? Here are a few reasons why it might be smart to do so.

Cyber insurance is finding its way onto the agendas of businesses everywhere, but it’s still a relatively misunderstood class of insurance. Because of this, many companies find themselves confused about how cyber insurance actually works and are skeptical about whether it makes sense for their business to purchase a policy. We hear you. In an effort to answer some of your big questions and put your concerns to rest, here are six big reasons why buying a standalone cyber policy may be a smart decision for your business.

You get cybersecurity tools and support, for freeFor most small-to-medium sized businesses, having a robust in-house IT security team isn’t always possible, or even necessary. But this can leave you without a place to turn in the event that the worst does happen. Would you know what to do if you walked into the office one morning and your systems had been disabled? Cyber insurance is a highly cost-effective way to gain access to the support you need in order to both prevent and respond to cyber events.Most cyber policies come with a number of proactive risk management tools, such as employee cybersecurity training programs, which help reduce successful phishing attacks, and dark web monitoring, which scans the dark web for signs that data relating to your business has been compromised. Most importantly, when it comes to responding to a cyber event, a good policy will give you access to IT experts, forensic specialists, PR firms, lawyers, and more, and often with a nil deductible.
Over half of all cyberattacks are aimed at small-to-medium sized businessesWhile the headlines focus on major security breaches at major companies, over half* of all cyber attacks are aimed at small businesses. What you don’t often hear about is the local law firm that mistakenly transfers $100,000 to a fraudster after being duped by a social engineering scam or the doctor’s office unable to use their computer systems for days because of a destructive malware attack. Just because events like these aren’t reported in the mainstream media doesn’t mean they aren’t happening.Cybercriminals see smaller organizations as low hanging fruit because they often lack the resources necessary to invest in IT security or provide cybersecurity training for their staff, making them an easier target.
Your employees will probably click on something they shouldn’tApproximately three quarters of the cyber claims we deal with involve some kind of easily-preventable human error. Theft of funds, ransomware, extortion and non-malicious data breaches usually start with a human error or oversight such as clicking on a phishing link, which then allows cybercriminals to access your systems from the inside.The fact remains that humans are the weakest link in the cybersecurity chain no matter how hard we try. Cyber insurance is a cost-effective way to not only get access to risk management tools like phishing-focused employee training programs, but also to cover the financial loss if someone makes a mistake.
You aren’t covered under other lines of insuranceCyber cover in traditional lines of insurance often falls very short of the cover found in a standalone cyber policy. Property policies were designed to cover your bricks and mortar, not your digital assets; crime policies rarely cover social engineering scams – a huge source of financial losses for businesses of all sizes – without onerous terms and conditions; and professional liability policies generally don’t cover the first party costs associated with responding to a cyber event.So, while there may be elements of cyber cover existing within traditional insurance policies, it tends to be only partial cover at best. A good standalone cyber policy, on the other hand, is designed to cover the gaps left by traditional insurance policies, and importantly, comes with access to expert cyber claims handlers who are trained to get your business back on track with minimum disruption and financial impact.
Cyber insurance covers far more than just data privacyTwo of the most common sources of cyber claims we see aren’t related to privacy at all – funds transfer fraud is often carried out by criminals using fraudulent emails to divert the transfer of funds from a legitimate account to their own, while ransomware can cripple any organization by freezing or damaging business-critical computer systems. Neither of these types of incidents would be considered a data breach, but both can lead to severe financial damage and are insurable under a cyber policy.Many businesses think that cyber insurance won’t be useful to them because they don’t collect sensitive data. However, more than 50% of our cyber claims come from events unrelated to breaches of privacy, and any business that uses technology to operate will have a range of other cyber exposures which a cyber policy can address.
Cyber insurance pays more claims than any other type of insuranceCFC has paid more than 1,500 cyber claims in the last 12 months, a number that eclipses previous years and is steadily growing, and the vast majority of these are from small and medium sized business. The industry as a whole is showing similar trends and low declinature rates. In fact, it was recently revealed that 99% of cyber insurance claims were paid in 2018, which means cyber has one of the highest claims acceptance rates across all insurance products.**Information like this shows that cyber policies are doing what they set out to do, which is provide broad coverage for a range of technology and privacy-related risks affecting modern businesses, all backed up by proactive risk management and expert incident response and claims handling.

Source: www.cfcunderwriting.com

Builders Risk: Minimizing Uncertainty at Bid Time

Posted on September 30, 2019 by Marijana Dabic

At the bid preparation stage, contractors often do not have full information on the builders risk insurance that will be provided by the project owner. The insurance requirements may be unclear or missing altogether. This often results in misunderstandings down the road. But it does not have to be that way.

The clarity and completeness of builders risk insurance requirements can and do vary considerably. I have encountered bid documents that do not contain builders risk requirements at all. I have also seen builders risk insurance addressed by a single sentence. These are actual examples:

“Owner will provide builders risk coverage.”
“The Owner shall provide property insurance upon the Work, but Contractor is responsible for all deductibles and uninsured losses.”
“Intentionally left blank.”

These examples all have one thing in common: The contractors are left to speculate on what, if any, coverage will be provided to them in the event of damage to the project. This is not a good way to start a project.

On the other hand, the insurance requirements may be complete and each contractor knows what risks are transferred to the builders risk insurer. This removes uncertainty … and any time you remove uncertainty, bid pricing is more favorable for the project owner. (Owners, please take heed.)

Why Aren’t Insurance Requirements Clear?

Insurance requirements may not be clear for two reasons. First, if model contract forms are used (e.g., American Institute of Architects, ConsensusDocs, Engineers Joint Contracts Documents Committee, Design-Build Institute of America), the builders risk provisions may be unclear or lacking to begin with. Many people assume that if a provision is contained in a model contract form, it must be appropriate. This is not true. Depending on circumstances, some provisions may be inappropriate. Other important loss exposures may not be addressed at all.¹

For example, the standard builders risk insurance requirement in one model contract form requires coverage on an “all risks” basis. This is desirable, but in the section that lists the causes of loss that must be covered, there is no reference to ensuing loss exceptions. Many say that the most commonly litigated provisions in builders risk policies are the exclusions applicable to faulty design, workmanship, and materials. The breadth of coverage is very different between a policy that has these exclusions and another that has these exclusions followed by ” … unless direct physical loss or damage by an insured cause of loss ensue and then this policy insures only such ensuing loss or damage.” The latter example has an ensuing loss provision, which is very beneficial to all those entities insured by a builders risk policy.

The second reason for unclear insurance requirements is that the drafter may not have the technical or practical experience necessary to properly structure the requirements. We have all reviewed insurance provisions that are poorly conceived and executed. Enough said.

What Can Contractors Do?

The construction bid process generally provides opportunities for a contractor to obtain clarifications or answers to questions. These are set forth in the bid documents and may include pre-bid meetings or procedures for submitting questions. With private work, a contractor may also qualify its bid to include certain assumptions regarding insurance.

Many contractors wisely seek additional information and answers to their questions. Others may know there are potential problems but hope for the best, and still others are not aware of the issues.

Checklist Tool

It is suggested that contractors compile a builders risk insurance checklist and request the owner to confirm what is contemplated/provided by the builders risk policy. A sample checklist is reproduced below. This template should be customized by the contractor to suit its needs. Regular use of a checklist can minimize uncertainty for all parties and further risk management programs.

	Coverage or Feature	Minimum Requirement/Comments
1	Owner Responsibilities
	Insurer selection	AM Best “A X” or better
	Naming of insureds	Owner, general contractor, subcontractors of all tiers
	Premiums and deductibles	Owner is responsible
	Policy format	Inland marine policy and forms
	Provide copy of policy	Within 60 days of project start
	Policy term	In compliance with the contract
	Partial occupancy prior to project completion	Secure approval of insurer
2	Covered Property	Replacement cost; no coinsurance
	Work at project site	Full contract value and modifications; owner’s supplied property
	Property in transit	Limits to be agreed upon
	Property at off-site locations	Limits to be agreed upon
3	Covered Causes of Loss/Other Features
	“All risks”	Full policy limit
	Wind	Full policy limit
	Collapse	Full policy limit
	Water damage (incl. sewer backup and sprinkler leakage	Full policy limit
	Collapse	Full policy limit
	Faulty design, workmanship, materials (resulting damage)	Full policy limit
	Terrorism	Full policy limit
	Flood	Limits to be agreed upon
	Earth movement	Limits to be agreed upon
	Equipment breakdown	Limits to be agreed upon
	Hot testing	Limits to be agreed upon
	Debris removal	Limits to be agreed upon
	Pollution, mold, fungus	Limits to be agreed upon
	Additional costs due to building laws	Limits to be agreed upon
	Extra expense (contractors)	Limits to be agreed upon
	Waivers of subrogation	In compliance with contracts

Source: www.irmi.com

¹ For a detailed analysis of builders risk insurance requirements in different standardized contract forms, refer to The Builders Risk Book, by Steven A. Coombs and Donald S. Malecki, published by International Risk Management Institute, Inc., in 2010.

What the Accomod8u Data Leak Shows About Student Housing

Posted on September 19, 2019 by Marijana Dabic

Here’s the background you need in order to understand the data hack, what it says about student housing, and what’s being done about it, as published by CBC News.

Earlier this month, an anonymous Reddit user wrote a post titled: “Massive Data Leak of Accommod8u Maintenance Requests Over the Last Two Years.” In a public Google document, the author said they managed to log into Accommod8u’s online tenant portal and access two years worth of maintenance requests. (Reddit)

Leaked information from the popular student rental company Accommod8u appears to paint a picture of apartments plagued with vermin, mould and broken heating systems.

But some say the problem with student housing in Waterloo goes beyond just one company.

Here’s the background you need to understand the data hack, what it says about student housing, and what’s being done about it.

What was the leak?

Earlier this month, an anonymous Reddit user wrote a post titled: “Massive Data Leak of Accommod8u Maintenance Requests Over the Last Two Years.”

In a public Google document, the author said they managed to log into Accommod8u’s online tenant portal and access two years worth of maintenance requests.

“A close look at the 6000+ entries reveals an egregious disregard for the rights and wellbeing of the residents,” the user wrote in the post.

The report describes requests from tenants for help dealing with mold, vermin, carbon monoxide and fire alarm issues and faulty heating systems. It also criticizes Accommod8u’s response time, alleging that users often put in multiple requests for help that were ignored.

Who is involved?

The company

On its website, Accommod8u describes itself as a high-end apartment brand with eight high-rise buildings under its ownership. The web copy says each rental suite is clean, secure and “maintained to the highest standard.”

The company has been criticized before, after tenants had their move-in dates at an Accommod8u property delayed for weeks because construction wasn’t finished. Once the building was occupied, tenants said they still encountered problems with air conditioning, garbage chutes and laundry machines.

Student move-ins delayed again, this time for TheHub in Waterloo
CBC has reached out to Accommod8u for comment and has not yet heard back.

The company has been criticized before, after tenants had their move-in dates at an Accommod8u property delayed for weeks because construction wasn’t finished. (Submitted by Brooke Willis)

The hacker

In a Google document titled “Contact Information,” the person or people behind the hack said they will not reveal their identity, or whether one or multiple people were involved. CBC has not spoken to those responsible for the data breach.

The police

The Waterloo Regional Police Service has confirmed that they are investigating the hack, but have not said whether any charges are pending.

What the leak shows

Students at the University of Waterloo say the hack shows what many of them knew already: that students are easily taken advantage of, and often don’t know what recourse they have when that happens.

Colin Chu was one of about 20 students who joined a meeting of the Waterloo Undergraduate Students’ Association Sunday, where the Accommod8U hack was on the agenda.

He said poor maintenance — along with disputed leases and other problems — is an ongoing problem at many of the rental companies that target students in Waterloo.

“Especially a lot of international students that are coming into the region for the first time and don’t have a really good handle on renting procedures or ways that they can be scammed or misled,” said Chu.

Chu said many students don’t know what their rights are, or that agencies like the Landlord and Tenant Board exist, and hopes they’ll become more active in learning about possible scams and ways to get help.

What officials are saying

Tenille Bonoguore, who represents much of the university area as a city councillor for uptown Waterloo, called the contents of the Accomod8u report “disturbing.”

“The kinds of issues that were being dealt with and the long time it was taking to deal with these issues give me concerns both for residents’ health and for their mental health,” said Bonoguore.

Bonoguore and her fellow councillors discussed the leak at a committee meeting this week, and questioned city staff about what the municipality’s responsibility is.

Shayne Turner, the city’s director of municipal enforcement services, said the city doesn’t have the power to investigate buildings without first being invited by a tenant.

But if tenants are having problems with their unit and aren’t getting anywhere with their landlord, they can contact the property standards office, which will check to see if there’s really a problem.

An inspector can issue a work order requiring property owners to fix problems, or hire someone to make repairs and add the bill to the property owner’s taxes.

What’s next

The undergraduate students association says it will set up a committee to research student housing in Waterloo, and to look into the possibility of a class-action lawsuit against housing companies on behalf of students.

Turner said his team will be in touch with the universities to ensure students understand how his office works, and what they can offer to tenants.

And Bonoguore said she plans to speak to students about their housing rights during a scheduled day upcoming where she was planning to go door-to-door talking about street parties.

“I’m hopeful that residents and tenants become so aware of their rights and what’s expected and how to get help that they end up being able to very successfully advocate for their own health and safety,” said Bonoguore.

“I think anyone who has lived in rental accommodation knows that your state of living is as good as your landlord is,” said uptown Waterloo councillor Tenille Bonoguore.

Author: Paula Duhatschek · CBC News · Posted: Sep 18, 2019 6:00 AM ET

How Well Does That Blanket Cover Your Client?

Posted on August 30, 2019 by Marijana Dabic

Blanket additional insured endorsements are useful tools for preventing administrative oversights and reducing paperwork, but they also carry risks for both the named and additional insureds. Discover methods contractors and subcontractors can use to minimize the risks of breaching their contracts when using blanket AI endorsements.

One of the age-old problems in obtaining additional insured status under a contractor’s or subcontractor’s insurance policy is making sure the appropriate actions have been taken to effect the required coverage. Certificates of insurance are commonly used to verify that the certificate holder has been added as an additional insured, but because they are not part of the policy, information contained on certificates may not be binding on the insurer. This article examines the use of blanket endorsements to effect additional insured status as a means of overcoming at least some of the imperfections of the process.

Additional insured status is a common and effective tool for protecting one party from certain risks arising out of another party’s activities. For example, municipalities typically require additional insured status from anyone holding a public event on city property, such as concerts, parades, and carnivals. The rationale behind this requirement is that the activities expose the city to certain risks that would not otherwise exist, so the person or organization that creates the risk should assume responsibility for any losses incurred as a result of the activities. In the case of a public concert, for example, if someone is injured when the crowd gets unruly, both the city and the concert sponsor will likely be sued. As an additional insured under the sponsor’s policy, the city can tender the claim under that policy instead of having to file the claim under its own insurance. The risk has been effectively transferred to the concert sponsor (assuming the available policy limits are sufficient to cover the claim.)

On a construction project, the owner typically requires additional insured status under the general contractor’s liability insurance policies; general contractors may do likewise with subcontractors. As in the example above, the rationale is that the construction activities create certain risks that would not otherwise exist and increase the magnitude of certain other risks. For example, a construction project in a retail district carries the risk that a pedestrian will be injured from flying debris, collapsed scaffolding, or a tool dropped from several stories up. These risks are directly related to the contractor’s operations on the site. Further, goes the rationale, the contractor (or subcontractor) performing the work is generally in the best position to prevent or control losses arising out of the work, and should therefore bear the corresponding financial risk.

However, requiring additional insured status does not necessarily guarantee that you will get it. The named insured (contractor or subcontractor) must notify the insurance company of the request, and absent a provision to the contrary, the person or entity requesting additional insured status must be listed, or “scheduled”, by name on an endorsement that is attached to the policy.

Because this requirement is so common in construction contracts, some contractors may handle hundreds of requests for additional insured status in a given year. Further, because the contracting process is often drawn out, and the insurance requirements given little more than a cursory review, this method of providing additional insured status carries inherent risks of error and oversight. Whether the result of failing to forward the request for additional insured status to the broker or insurer, failing to ensure additional insured status under a new or renewal policy, or some other oversight, a contractor (or subcontractor) can easily find itself in breach of a contract, among other unpleasant outcomes. Likewise, the would-be additional insured may find itself embroiled in a coverage dispute with the insurer and a contract dispute with the named insured contractor; meanwhile, it may be forced to tender the claim to its own insurer (or, if self-insured, fund its own defense). All of these possible outcomes frustrate the intent of the contracting parties.

Blanket additional insured endorsements were introduced as a means of avoiding administrative errors and oversights in providing additional insured status. These endorsements typically contain language indicating that additional insured status is automatically provided when the named insured agrees to provide such status. To avoid overly broad grants of coverage, these endorsements typically limit their application to certain types of written contracts, such as construction contracts or equipment rental agreements.

The obvious benefits of blanket, or automatic, additional insured endorsements are that they protect against failure to add a party as an additional insured in accordance with the contractual agreement, and reduce the administrative burden of making each request individually. However, from the additional insured’s perspective, there are also some potential drawbacks to obtaining additional insured status in this manner. First, in the past, blanket additional insured endorsements had to be manuscripted as no standard endorsements were available. Because they are not standardized, manuscript endorsements can differ from one policy to the next. Consequently, they offer less predictability in terms of scope of coverage, as well as how a court might interpret the language of the endorsement.

Because blanket additional insured endorsements typically require a contractual obligation on the part of the named insured to provide such status, those who obtain additional insured status through such an endorsement must retain proof of the contractual requirement to effect coverage. Even when the additional insured’s coverage does not apply to completed operations, claims arising out of occurrences that took place during the course of construction may not surface until years later. Some additional insureds assume that a certificate of insurance showing additional insured status at the time of the occurrence will be sufficient to trigger the insurer’s duty to defend and indemnify. That is not necessarily true. The additional insured will also need evidence that there was in fact a contract requiring such coverage. While a certificate of insurance indicating that the certificate holder has been added as an additional insured is evidence of a contractual requirement, a better approach may be to require the certificate to refer to the contract requirement. For example, the following language could be required on the certificate:

“In compliance with the contract requirements, certificate holder is an additional insured under the policy.”

If possible, the contracts themselves should be retained. (This should not impose a significant additional burden in most instances, as construction contracts are typically retained for access to indemnity and other provisions that may come into play well after the project is completed.)

Finally, blanket additional insured endorsements restrict insurers ability to provide notice of cancellation to additional insureds. Most insurance policies require such notice to be provided only to the named insured. Additional insureds often try to obtain a guarantee of notice of cancellation by modifying the certificate language, but this is an unreliable approach.

Summary

Blanket additional insured endorsements are useful tools for preventing administrative oversights and reducing paperwork, but they also carry some risks for both the named insured and the additional insured. Fortunately, these risks can be managed fairly effectively.

Owners and contractors requiring additional insured status should make certain the additional insured requirement is part of a written and properly executed contract, and retain copies of these contracts (as well as the certificates of insurance) for an appropriate period of time—at least 3-5 years if completed-operations coverage was required and included in the additional insured’s coverage. Further, they should stipulate in the contract insurance requirements a minimum scope of coverage to be provided to them as an additional insured.

Contractors and subcontractors using blanket additional insured endorsements to provide contractually required coverage can minimize the risks of breaching their contracts by sticking with language that has been tested, and making sure the endorsement extends the contractually required scope of coverage.

Source: irmi.com

Implementing Multi-Factor Authentication is Critical

Posted on August 14, 2019 by Marijana Dabic

The CFC Incident Response Team notes that the vast majority of claims for business email compromise (BEC) and the associated crimes that result from such a compromise (wire transfer fraud, data theft and further phishing attacks) could potentially be prevented by implementing multi-factor authentication (MFA) on email accounts and other accounts.

Due to the proliferation of modern attack methods used by cybercriminals, not using multi-factor authentication is akin to closing the door of your home but not locking it. To improve your security posture, and to bring it up to date to face current threats, the use of MFA is highly recommended.

So what is MFA? It’s an authentication process that requires more than just a password to protect an email account or digital identity and is used to ensure that a person is who they say they are by requiring a minimum of two pieces of unique data that corroborates their identity. This unique data comes in three forms – something you know (i.e. your password), something that you have (i.e. a one-time passcode generated by an app or hardware token), or something you are (i.e. fingerprint, retinal pattern, voice signature or facial recognition).

In the event of a password compromise, perhaps as a result of a phishing attack, it is very unlikely that the threat actor will also have the other piece of the authentication data. Therefore, the chances are that your email account or digital identity will not be compromised. It will increase your overall cyber security posture and will decrease your chances of reputational harm and negative business impact.

There are many free MFA apps and more comprehensive corporate solutions. Below are some additional resources:

Resources on how to set up MFA for Microsoft Office 365 can be found here.
Resources on how to set up MFA with Google can be found here.
Authentication apps such as Google Authenticator, LastPass Authenticator, Authy, Microsoft Authenticator or Yubico Authenticator are available free for a large number of digital services.

We urge all brokers and their clients to take this critical security step as soon as possible.

Source: www.cfc.com

Archives