☰ Navigation

1-888-643-2217 Email ABEX
  • Home
  • Resources
Keeping you updated

Cyber-Threat Awareness Requires Training and Vigilance

Posted on by

Employees need training when it comes to recognizing potential cyber threats. They should be on notice that, no matter their position within an organization, they too are responsible for doing their part in maintaining security standards and following proper reporting protocols.

Consider this real-life example. An organization in Scotland is suing an employee for failing to spot a CEO spoofing scam, but the employee claims she never received any real training in how to recognize fraudulent emails.1 Though the employee appears to have acknowledged a brief warning, this case demonstrates the need for organizations to clearly and consistently set expectations when it comes to cyber training and awareness.

When it comes to training programs, employees often express the same kind of nonchalant attitude that pervades the entirety of their organization’s mindset on cyber security. If cyber-security culture is not prioritized, employees are not going to pay particular attention to a deck of slides and a short true-or-false quiz at the end to demonstrate their “mastery” of the material. In the case of the Scottish employee, her organization insists that she clicked a box acknowledging that she had been warned about the threat of CEO spoofing. When cyber-security efforts are merely boxes to be checked, it is unclear how much more useful they are than nothing at all.

Personalized Cyber-Security Training Is Key

Cyber-security awareness and training must be personalized. Namely, employees need to be provided with the tools to develop knowledge to achieve a better understanding of the critical cyber threats they come into contact with every day. More complex technologies, newly implemented systems, and harder to understand technologies, such as cloud infrastructures, may require specialized training for specific stakeholders or responsible parties. While training may not look exactly the same for each employee, compliance with security protocols and procedures should be.

Perhaps unexpectedly, compliance with security protocols should strengthen and support an employee’s ability to think critically and have a questioning mindset. In an organizational setting, it may seem counterintuitive to expect employees to take on a critical eye. But once an employee has received training of relevant systems and procedures, a questioning employee is going to have a better chance of spotting red flags and knowing when and how to report them.

Training programs should emphasize the need for employees to trust their gut when it comes to suspicious activities and act with caution even if something seems to correlate to company policy. Recognizing the type of CEO spoofing email mentioned above is a good example.

Training must evolve and be administered with the understanding that technology changes regularly as well as your organization’s usage of technology. Just as security procedures must never be a “set it and forget it” affair, continuing education also needs to reflect policy.

Cyber Training Needs To Be Useful and a Priority

The usefulness of different training programs should also be assessed regularly. It is possible that with this sort of feedback, it would have been understood that having an employee check a box is not an effective training tool in acknowledging emerging cyber threats. Instructing employees on where to find relevant cyber-security policies is also important in ensuring compliance as well as providing a point of contact for all related questions and reporting. This responsible party may also be the individual held accountable for evaluating compliance, the usefulness of certain training programs, and assessing when changes need to be made and retraining needs to take place. Communication is key when it comes to keeping training useful and not a checked box formality.

To ensure that training remains a priority and that initiatives are funded adequately, cross-organizational communication channels need to exist. Knowing what key threats an organization faces as well as understanding which assets need to be most protected are impossible tasks without interdepartmental communication, especially with the information technology department. Cyber-security leaders within an organization must also be sure to keep upper management apprised of what is considered most important when allocating cyber-security resources. In the case of the company mentioned in this article, in-depth training sessions focusing on the “human element” of security and the threat of social engineering attacks might have prevented the disaster.

Conclusion

While the jury is still out as to whether or not a lack of adequate training or negligence is to blame in the case of the employee falling for a CEO spoofing scam, either way, it points to an increasing need for organizations to implement, and strongly document, their training and education programs for their employees. Ultimately, the effectiveness of a training program is only going to be as strong as the overarching attitude toward cyber security that an organization has. Additionally, employees need to recognize their individual responsibility for upholding their organization’s cyber-security protocols. When it comes to cyber security, everyone is a stakeholder.

1Company Sues Worker Who Fell for Email Scam,” BBC, February 5, 2019.

Source: www.irmi.com

Small Contractors Beware of Wrap-Up Limitations

Posted on by

Any endorsement to a standard commercial general liability (CGL) endorsement that eliminates coverage should be of concern to small contractor insureds—a class of risks for whom general liability exposures are by far the most significant they face in the course of business. Yet the number of exclusionary endorsements added to many contractor accounts makes the review process formidable even for experienced industry personnel.

If an important restriction on coverage is missed and not addressed, the results can be catastrophic. Today’s example involves severe language removing coverage for contractor activities on sites where consolidated insurance—”wrap-up”—programs are or ever were in place.

Separating enrolled versus non-enrolled contractors in wrap-up programs is well understood within the industry. But some CGL insurance providers materially expand the extent of wrap-up exclusions imposing limitations not anticipated by any of the parties. One such wrap-up exclusion read as follows:

“Does not apply to any work insured under a consolidated (Wrap-Up) insurance program and this insurance shall have no obligation to defend or indemnify for any claim or any project where such wrap-up insurance exists or has ever existed. This exclusion applies whether or not a claim is covered under such wrap-up insurance. The limits of such wrap-up insurance are exhausted, the carrier is unable to pay, or for any other reason.”

Who Is Included?

There are categories of included and excluded—”enrolled” and “non-enrolled”—parties in all wrap-up programs. Delivery services, suppliers, truckers, equipment installers, waste removal, and other categories of business usually are ineligible for coverage under the wrap-up policy under which all enrolled contractors are named insureds.

The language quoted above was found in the policy of an equipment installer, a traditionally ineligible party to a wrap-up. The firm was occasionally installing high technology equipment on large construction sites as work reached completion. Wrap-up insurance was, or had been, in place on the project.

What makes this particularly sweeping exclusionary language so problematic is the fact that the equipment installer will continue to service the equipment for years after the construction project is completed—a project, in other words, where a wrap-up program “ever had been” in place.

Please note that the exclusion makes no reference to the insured equipment installer being a participant in the wrap-up program.

The Severity of Language

The severity of the exclusion becomes apparent when compared to standard designated operations exclusions, standard wrap-up exclusions developed by Insurance Services Office, Inc. (ISO), or other limitations specific to an enrolled contractor. Designated operations exclusion are specific to scheduled construction sites. The standard ISO wrap-up exclusion applies specifically because “a consolidated (wrap-up) insurance program has been provided by the prime contractor/project manager or owner of the construction project in which you are involved.” Such standard exclusions are readily understood. But the exclusionary language quoted above goes well beyond industry norms to remove coverage for any claim or project where wrap-up insurance is in place or ever existed.

The application for insurance that preceded the issuing of the exclusion endorsement made no inquiry as to the applicant’s participation in wrap-up insured projects or its performance of work at wrap-up sites. Information addressing limitations related to wrap-up issues was not descriptive. The policy to which the quoted wrap-up exclusion was added had approximately 50 pages of other endorsements, all of which reduced important coverage.

Only One Example

Wrap-up endorsements are only one of many severe endorsements that can be routinely added to contractor accounts. The quality of a contractor’s general liability insurance is highly important to all parties involved. Insurance coverage forms for this segment of our economy have evolved over more than a century in the United States through a laborious process of identifying construction risks and developing insurance coverage to deal with them. The use of nonstandard, severely restrictive endorsements and exclusions that remove coverage otherwise available and essential to the construction industry poorly serves the public.

Source: www.irmi.com

It’s Not Too Late, Start Your Cyber Resolution Today

Posted on by

CFC has put together a few top cyber-related resolutions for this year.  Check them out and have a secure 2019!

  1. I will change all default passwords on my personal and work devices.
  2. I will regularly check for updates to the operating systems of my laptop, computer and mobile phone.
  3. I will install strong anti-virus software and keep it updated.
  4. I will think twice before clicking on unknown links or attachments in emails.
  5. I will authorize payments to new transfer partners via telephone to minimize risk of fraud.
  6. I will not share sensitive information on social media that could be used against me in phishing attacks.
  7. I will back up my entire system at least once a week on an external hard drive.
  8. I will encrypt my mobile phone and all of my other devices.
  9. I will talk to my kids (or parents) about how to stay safe online.
  10. In the event that resolutions 1-9 fail, I’ll have a cyber insurance policy in place to save the day!

Source: www.cfcunderwriting.com

Cyber Claims Case Study: CEO Swindle

Posted on by

One of the most common types of social engineering is CEO fraud. This is typically a targeted attack where a fraudster impersonates the CEO or another senior executive within an organisation and instructs a member of the finance department to make an urgent payment to a particular account for a specific reason. Even traditional businesses who might not think they have a strong cyber exposure can lose thousands in attacks like this.

CFC’s latest cyber claims case study tells the story of a manufacturer who fell victim to CEO fraud and the financial fallout the company experienced as a result.

The key takeaway points are:

  • CEOs and senior executives are prime targets for cybercriminals. They tend to act as the face of their respective companies and have bigger profiles on company websites and social media accounts, allowing cybercriminals to gather valuable information about them. Cybercriminals also know that employees are instinctively less likely to question instructions from senior executives. CEOs and senior executives therefore need to be especially conscious of sticking to good cybersecurity practices, and employees need to be particularly alert to suspicious emails and have robust authentication procedures in place.
  • Cybercriminals are becoming increasingly sophisticated. In the past, it was not uncommon to see blatant attempts at funds transfer fraud over email, with an urgent appeal for help or bogus prize give-aways being just two examples. Now, however, we are seeing far more nuanced attacks, with fraudsters sending convincing credential phishing emails to gain access to email accounts, setting up forwarding rules on email accounts to avoid detection and making use of seemingly legitimate invoice templates to add authenticity to their scams.
  • Lots of businesses don’t think they need to purchase cyber insurance because they believe they have good IT security in place, such as firewalls and anti-virus software. But this ignores the fact that people are often the weakest link in an organisation’s IT security chain. With increasingly sophisticated attacks like this on the rise, it makes it difficult for employees to tell the difference between a real email and a fake email or a real invoice and a fake invoice, and it makes the chances of a successful social engineering attack against a business increasingly likely.

Read the full case study here

Source: cfcunderwriting.com

Signs of Progress on National Flood Program for Canada

Posted on by

Canada is making good progress on a national flood program, pending a final decision by federal, provincial and territorial (FPT) ministers responsible for emergency management.

“What they are looking at is one national insurance solution to improve outcomes for high-risk Canadians across the country,” Craig Stewart, vice president of federal affairs at Insurance Bureau of Canada (IBC) told Canadian Underwriter in an interview Tuesday. “There may be regional insurance pools adapted to local conditions, but it would be nationally coordinated.”

FPT ministers responsible for emergency management have mandated IBC to lead a national working group to take a look at options and what they would look like. IBC provided three options:

  • A pure market approach (like in Germany and Australia) where governments exit disaster assistance
  • A broadened version of the status quo, but with better-coordinated insurance and disaster assistance
  • Deployment of a high-risk pool analogous to Flood Re in the United Kingdom.

The next step is for the working group, which Stewart chairs, to cost out the pool. “The pool needs to be capitalized as it was in Flood Re,” Stewart said. “So, we need to figure out where that money is going to come from. Is it going to come from governments? Is it going to come from insurers? Where is it going to come from?”

A final decision will be made by ministers after the high-risk pool is costed, which Stewart expects to be completed by June. Decisions on eligibility, how to capitalize the pool, and on any cross-subsidization await the results of that costing analysis.

In addition, this spring, the ministers will hold a technical summit on flood data and science. “Our view of the risk many not align with the government’s view of the risk,” Stewart said. “We need to bridge the gap. This symposium is going to focus on essentially the data and science of flood modelling.”

In early 2020, there will be the launch of a consumer-facing flood risk portal. IBC has been working with the federal government to develop the authoritative flood portal, where consumers can discover their risks and what to do about them.

“Elevating consumer awareness of flood risk is key,” Stewart said. “Consumers aren’t going to be incented to protect themselves or to buy insurance unless they know their risk.”

In May 2018, FPT ministers responsible for emergency management tasked IBC to lead the development of options to improve financial outcomes of those Canadians at highest risk of flooding. IBC worked with a wide range of insurers, government experts, academics and non-governmental organizations to produce the three options, which were tabled with ministers last week.

The ministers released the first-ever Emergency Management Strategy for Canada: Toward a Resilient 2030 on Jan. 25. The document provides a road map to strengthen Canada’s ability to better prevent, prepare for, respond to, and recover from disasters.

“In less than two years, Canadian insurers have secured a mandate with every province and territory to finalize development of a national flood insurance solution, have successfully catalyzed a national approach to flood risk information, have secured over two billion dollars in funding for flood mitigation, and have succeeded in securing a funded commitment for a national flood risk portal,” Stewart said.

Source: Canadian Underwriter

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN