2021 February PIA Vermont by PIA Northeast

February 2021 • Vermont

PAGE 20

The human impact of a

DATA BREACH Better manage the potential reputational fallout of a cyberattack

CYBER 13

Understanding your risk

Least privilege & zero trust

Technology scams

Life Insurance for today and tomorrow More money in their pocket today with protection for the future. Insureds with an Auto-Owners Life policy can save 5% on their companion Home and Auto* policies.

www.concordgroupinsurance.com

* Discount may not be available for all Auto policies. Limitations and conditions may apply.

DEPARTMENTS 4 February 2021 • Vermont

In brief

9 Tech 13 Security 17 Risks 29 E&O 33

Ask PIA

Readers’ service and advertising index

COVER STORY 20 The human impact of a data breach Better manage the potential reputational fallout of a cyberattack

FEATURE 25 Technology scams in uncertain times Watch out for these five examples

Statements of fact and opinion in PIA magazine are the responsibility of the authors alone and do not imply an opinion on the part of the officers or the members of the Professional Insurance Agents. Participation in PIA events, activities, and/or publications is available on a nondiscriminatory basis and does not reflect PIA endorsement of the products and/or services. President and CEO Jeff Parmenter, CPCU, ARM; Executive Director Kelly K. Norris, CAE; Communications Director Katherine Morra; Senior Magazine Designer Sue Jacobsen; Editor-In-Chief Jaye Czupryna; Advertising Sales Executive Susan Heath; Communications Department contributors: Athena Cancio, Alexandra Chouinard, Patricia Corlett, Darel Cramer, Roberta Lawrence, Zack Littrell, Alysia Plaza and Crystal Ringler. Postmaster: Send address changes to: Professional Insurance Agents magazine, 25 Chamberlain St., Glenmont, NY 12077-0997. “Professional Insurance Agents” (USPS 913-400) is published monthly by PIA Management Services Inc., except for a combined July/August issue. Subscription rate for members is $13 per year, which is included in the dues; subscription rate for nonmembers is $25 per year. Professional Insurance Agents, 25 Chamberlain St., P.O. Box 997, Glenmont, NY 12077-0997; (518) 434-3111 or toll-free (800) 424-4244; email pia@pia.org; World Wide Web address: pia.org. Periodical postage paid at Glenmont, N.Y., and additional mailing offices. ©2021 Professional Insurance Agents. All rights reserved. No material within this publication may be reproduced—in whole or in part—without the express written consent of the publisher.

COVER DESIGN Zack Littrell

IN BRIEF

NEWS TO USE

Internet sales: Opportunity or potential liability? Robert M. Sullivan, Esq., senior partner, Sullivan & Klein LLP

Agency websites vary in content and design. Some offer information, while others are capable of binding insurance and delivering policy forms to insureds. Some states have promulgated rules, guidelines and commentary designed to lead insurance producers through the potential traps and complications involved with the solicitation, sale and servicing of insurance through the internet. Navigation of the current regulatory environment requires attention to the basic constraints that have been imposed by these regulators. Constraints These basic constraints appear to reflect an overall concern with a given state’s need to protect its citizens from unregulated insurance sales, as well as a professed intent to allow its citizens to reap the benefits of web-based insurance transactions. While some states have moved to the forefront of the regulatory pack, others remain virtually silent on the subject of electronic insurance transactions. A survey of the basic positions of the various insurance regulators does yield useful information for the agent who seeks some measure of safety in an untested area. No. 1: All state statutes, rules and regulations remain applicable, whether a transaction takes place over the internet or through conventional channels. Almost universally, the states that have discussed the subject of internet insurance sales have opined that filing, form, licensing, notice and payment regulations remain operative for these, as well as for conventional sales. No. 2: Contracts, policies and insurance forms should be displayed on the website in the form approved by the regulating state. In similar fashion, some states have required that any insurance form displayed, printed or delivered over the internet be conveyed in precisely the same form as would be received by the insured in the course of a paper transaction. No. 3: Licensing and registration requirements generally compel an agent to display the states where the agent is authorized to do business prominently. While there is some question as to whether an insurance producer has solicited insurance by simply maintaining a website that is passively accessible to the residents of a given state, there appears to be little doubt that an agent would be held to have solicited a prospective client once a response has been received over the internet from a potential insured. Given the uncertain regulatory nature

of internet sales, it is advisable that agents include prominent disclaimers on their websites, indicating that there is no intent to solicit sales of insurance from the residents of any states other than those states where the agent holds a resident license. Accordingly, if a response or question is received from a resident of a state where the agent does not hold a resident license, any further communication should be refused, informing the individual that the agent is not licensed in the state. No. 4: Websites should ensure adequate security and privacy of sensitive insurance information. Many insurance transactions require significant privacy, either by virtue of the subject matter or by operation of state law. As a result, insurance application information submitted over the internet should be protected from disclosure to third parties by virtue of website design and procedures established by the agent or broker on an internal basis. No. 5: Insurance purchasers should be alerted to insurance policy features that are not available in their state. Agents should give a resident insured accurate information concerning the forms, rates and provisions that would be applicable in the resident’s state. This would require a significant level of sophistication on the part of any individual responding to email inquiries. It would require that the forms and information be available through the website. No. 6: In all probability, insurers will be held responsible for their agents’ internet marketing practices. Some regulators have commented that the conduct of agents—while they use the internet—will be imputed to insurers. It would be logical for agents to review the holdharmless language of their agency contracts, and, if necessary, clarify the responsibilities of agents and insurers for compliance with the continual growth of regulations relating to the conduct of internet insurance sales. Conclusion All of the above, together with certain additional considerations, should compel agents to give serious thought to weighing the potential benefits of internet sales against the obvious risks. Without question, continued diligence as to the developing requirements of each state’s law is essential to developing a reasoned and informed approach to electronic insurance sales. This article is adapted from QS90208, which can be found in the PIA QuickSource library.

PROFESSIONAL INSURANCE AGENTS MAGAZINE

BY THE NUMBERS

88%

The next crisis

OF THE WORLD’S WORKFORCE has been working remotely SINCE THE PANDEMIC BEGAN

A cyber security pandemic The COVID-19 pandemic has transformed the way we communicate, work and survive. But, following closely behind it may be a different sort of crisis: a cyber security pandemic. This new pandemic is the result of governments, businesses, medical facilities, and people all over the world becoming victims of data breaches, malware and identity theft—all at the same time.

CHALLENGES I.T. WORKERS FACED

IF YOU AREN'T CAREFUL

when employees began working from home

CREATING FLEXIBLE SOLUTIONS for remote access

you could join these ranks

RANSOMWARE ATTACKS ON SCHOOL DISTRICTS Percentage of all U.S. ransomware incidents that affected schools and schoolchildren K-12:

28%

JANUARY-JULY

57%

AUGUST-SEPTEMBER

Alerting to dangers of UNTESTED UNSECURED SOFTWARE

U.S. TREASURY DEPARTMENT CYBERATTACK also affected

Developing SECURE REMOTE ACCESS

18,000

OTHER ORGANIZATIONS found with malicious code in their networks

TIPS TO HELP AVOID AN ATTACK

FOR EMPLOYERS

FOR EMPLOYEES

BACK UP important files often

Open emails only from TRUSTED SOURCES (Don’t click links/open attachments from unknowns)

UPDATE anti-virus software FIX SECURITY ISSUES promptly SECURE EMAIL systems

Use STRONG PASSWORDS—update regularly DO NOT ALLOW others to use your work devices (computers, tablets, cell phones)

The COVID-19 pandemic leaves the global workforce exposed to cyber security threats, as most people work remotely. It’s important to understand what cyber security pandemics are, how the health crisis makes us more susceptible, and how to prevent a cyber security pandemic. You can never be too careful—with yourself and your clientele. PIA.ORG

ASSOCIATION NEWS

PIA can help with all your agency’s tech and cyber needs As a PIA member, you have access to a number of technology- and cyber-related tools to help run and protect your agency and help your clients, including the following: PIA Technology Info Central Are you looking for a one-stop shop for technology news, real-time initiatives, vendors and consumer information for your website and more? Through the PIA Technology Info Central, you have access to all of this, plus you can review real-time implementation options; keep current with the latest technology news; and obtain materials to assist in creating and updating your agency’s website. Access this PIA-member resource via the PIA website (pia.org) under the “Tools and Resources” tab. PIA’s Technology Hotline If you need more information on a technology-related subject, PIA’s Technology Hotline can put you in touch with two nationally recognized technology experts. Steve Anderson, editor of the TAAR Report, and Matthew P. Milliken, owner of Mt. Washington Valley Consulting Inc., brings PIA members the advantage of more than 20 years’ experience in agency-company technology. PIA members get up to 30 minutes of free consultant time when requested through PIA’s Industry Resource Center, email resourcecenter@pia.org or call (800) 424-4244. Access this PIA-member resource via the PIA website (pia.org) under the “Tools and Resources” tab. AVYST eForms Wizard You also can use technology to get to market faster. AVYST eForms Wizard enables professional insurance agents to interview clients and prospects on-site; allowing agency personnel to input data directly into forms that are saved and shareable. Once information is collected, it can be conveyed to the business’s carriers, wholesalers and other sources within the agency. This system eliminates redundant entry on forms, and empowers the ability to complete multiple ACORD applications; and helps agents get to market faster. The Gold Level is available to PIA members at a 50% discount, or you can choose to allow some or all of your employees to access the free Bronze Level, which is available with your PIA membership. For more information, see: https://avyst.com/partnerships/pianortheast/. 6

Agency Revolution You can use technology to reach out to your clients by taking advantage of PIA’s partnership with Agency Revolution, an FMG Suite company that offers a marketing platform to help insurance professionals automate their processes; build deeper, more meaningful client relationships; and grow their businesses. Agency Revolution offers professionally designed websites backed by an awardwinning content library, and a collection of marketing, communication and relationship-building tools. For more information, see agencyrevolution.com and mention your PIA membership. Cyber liability coverage Your agency depends on your computer system, confidential client information and website operation every day. The average cyber claim payout is nearly $1 million. Don’t take the risk. Arm your agency with a cyber liability policy from PIA. PIA’s coverage gives you options. PIA knows how hard you work to protect your clients. Don’t leave your own business exposed to the aftermath of a data breach. Let us navigate your coverage needs with precision. Our insurance professional team works to provide your agency with competitive coverage that fits. Access this PIA-member benefit via the PIA website (pia. org) under the “Tools and Resources” tab. Cyber security regulations Some states (e.g., Connecticut, New Hampshire and New York), require agents to adhere to cyber security regulations if they are licensed to do business in those states. PIA has compiled resources to help agents comply with these regulations, specifically New York’s—Connecticut and New Hampshire’s regulations include a safe harbor for any licensee who is compliant with New York’s cyber security regulation (23 NYCRR 500). PIA members who have questions about conforming with these state’s regulations can access the cyber security regulations information, which is part of PIA’s Privacy Compliance Central. This tool kit is available on the PIA website, under the “Tools and Resources” tab. These are some of the resources and products accessible through your PIA membership year round. For more information on how PIA helps you run your business, see the PIA website (pia.org) or call (800) 424-4244.

PROFESSIONAL INSURANCE AGENTS MAGAZINE

We’ve changed a few things since our beginning in 1950...

...but not the important ones. Providing solutions for What we offer • • • • •

Specialized product underwriters Client incentive agreements Claims management Online capabilities Financing

• • • • • • • •

Environmental Financial institutions Personal lines Professional Property & casualty Transportation Umbrella/xs Workers’ compensation

Client Focused Service Driven Independently Owned

A Wholesale Insurance Broker Unlike Any Other Follow us on at linkedin.com/company/russell-bond-&-co.-inc Contact us at 800.333.7226 or russellbond.com

o: t t n a w u …yo issions est comm

dollars high t sharing e fi th ro p rn d a n E a ▶ uses more bon quote ▶ Receive iness you s u b e th f wner ? ore o ate t agenc y o r n n e ▶ Write m d o n ti e n p e te as an ind line up. e y o u r re ▶ Increas e to the top to join their winning tial with SAN. s ri u o y r a e ye o ns g poten ake 202 1 th accepting applicati our earnin y f om o t n Why not m y e tl m n angroup.c ssess curre s a | is l a 5 p ti u 9 n 3 e ro .1 d G confi S AN 800.7 90 today for a Contac t us

TECH

DAN CORBIN, CPCU, CIC, LUTC Director of research, PIA Northeast

ISO introduces 2020 Commercial Auto Program Here’s a bit of good news. The Insurance Services Office Inc. is introducing 19 new endorsements in its 2020 Commercial Auto Program, which will result in many more coverage options for your policyholders. In addition, 38 endorsements have been revised and one has been withdrawn. While this filing could be heralded in terms of constructive changes, you may want to consider its repercussions by drawing a parallel to Newton and his third law of inertia: For every action, there is an equal and opposite reaction. The more options the policyholder has, the longer your coverage checklist must be to avoid overlooking desired protection. Once you know your client desires or expects a particular coverage, and that option now exists, you had better give an informed response in order to avoid Newton’s first law of inertia giving your client momentum toward a law office. Speaking of being informed, let’s get started with the coverage enhancements.

New coverage enhancements

Service/utility trailers. The automatic coverage for trailers in the various coverage forms are amended from trailers having a “load capacity of 2,000 pounds or less” to those having a “registered Gross Vehicle Weight Rating of 3,000 pounds or less.” This will make the determination more easily identifiable, but it does eliminate unregistered trailers.

Commercial Auto & Garage Risks Like Yours Need An Ally Like Lancer Any number of events can threaten your clients’ day-to-day operations. That is why we offer affordable Commercial Auto and Garage Liability coverages* to help protect them from the risks they face, with the backing of a team that knows the industry inside and out. Our risk appetite includes: • Contractor Vehicles • Service Vans • Box Trucks • Pickups • Light Trucks

• Tow Trucks • Mobile Equipment • Auto & Truck Repair Shops • Body & Fender Shops

• • • • •

Transmission Shops Used Car Dealers Parking Garages Service Stations And more!

Writing in NY, NJ, PA and CT! Obtain quotes online or contact us today at 516-431-9191 x3507 or producer@lancerinsurance.com

www.lancerinsurance.com * Please contact us for a list of available products and coverages by state.

PIA.ORG

Towing and labor. Coverage for towing and labor is expanded to include light and medium trucks, in addition to private-passenger types. Owned autos. While referenced in Rule 90–Hired Autos in the commercial auto manual, there was no policy provision defining an “owned” auto to include an auto that is leased or rented under written agreement for a continuous period of at least six months. This provision has been added. Maximum deductible. A maximum physical damage deductible is introduced that is equal to five times the highest deductible applicable to any one covered auto. Transportation/loss of use. The limits in the forms for transportation and loss of use expense is increased from $20/day to $30/day, and from $600 maximum to $900 maximum.

New endorsement enhancements CA 04 15 11 20–Garagekeepers Coverage For Autos And Watercrafts. Do your clients service, repair, store or provide safekeeping for watercraft? If so, then you want to tell them about this coverage. It revises the definition of “customer’s auto” to include a land motor vehicle, “trailer,” semitrailer or watercraft. CA 04 21 11 20–Full Safety Glass Coverage. While some states make full glass a mandatory coverage or option, this endorsement introduces availability on a multistate basis.

4,492

Ask PIA hits last year

PIA’s highly qualified technical specialists can answer: • Legal • Industry • Coverage • Legislative • Regulatory … and other questions fast! PIA offers a searchable database of previously asked member questions answered by our highly qualified specialists.

“You are a real difference-maker for brokers on the front lines. You provide invaluable technical insight when we don’t know where to turn, which helps us compete with larger brokers and—most importantly—serve our clients.” —Gregory C. Niccolai Madison Insurance Group

Log on to pia.org/IRC/askpia. 10

PROFESSIONAL INSURANCE AGENTS MAGAZINE

CA 04 22–Earlier Notice Of Cancellation Provided By Us. This new option prescribes a notice of cancellation earlier than otherwise required by the policy provisions or state requirements. CA 04 39–Volunteer Hired Autos. You may recall that CA 20 54– Employee Hired Autos extends liability and physical damage coverage while an employee rents or hires a vehicle in an employee’s name while performing duties related to the employer’s business. This new endorsement extends similar coverage while volunteers hire or rent an auto while serving the named insured. CA 04 41 11 20–Replacement Cost Coverage–Private Passenger Types. Similar to what was introduced in the 2018 Personal Auto Program, this new option settles a total loss to a scheduled vehicle at replacement cost, provided the loss occurs within 24 months after becoming the original owner and the mileage shown in the odometer at the time of the loss is less than 24,000 miles. The replacement vehicle must be of the same make, model, trim level and equipment. If there is no equivalent available, payment for a similar vehicle cannot exceed 110% of value of the vehicle damaged. CA 04 43 11 20–Waiver Of Transfer Of Rights Of Recovery Against Others To Us (Waiver Of Subrogation)–Automatic When Required By Written Contract Or Agreement. The current CA 04 44–Waiver endorsement applies only to the person or entity scheduled on the endorsement. This new option applies when such waiver is required under a written contract or agreement entered into by an insured. CA 05 24–Non-Ownership Liability Coverage For Volunteers.

The current CA 99 34–Social Service Agencies–Volunteers As Insureds endorsement provides social-service volunteers insured status while operating their personally owned vehicles on behalf of the named insured. This new option takes it a step further and extends coverage to all volunteers engaged in the specified activity(ies) described in the schedule, or while acting on the named insured’s behalf if no activity is described in the schedule. Consequently, the more narrow CA 99 34 endorsement is withdrawn. CA 05 25–Partners Or Members As Insureds. “Who is an insured” in the commercial auto coverage forms does not cover employees, partners or limited liability company members while operating their owned vehicles in business affairs. The exclusion can be overcome for employees by endorsing the CA 99 33–Employees As Insureds endorsement. This new option allows partners or members to obtain similar coverage while operating their owned vehicles in business affairs. CA 04 52–On-Hook Coverage. The current CA 99 37–Garagekeepers Coverage endorsement provides coverage for damage to a “customer’s auto” while in the care of the insured in the course of “garage operations.” These garage operations include towing operations. This new endorsement provides targeted coverage for those insureds whose operations are limited to roadside assistance and while the customer’s auto is being towed. This is appropriate for an insured who does not own a service garage or storage facility. CA 27 17 11 20–Designated Location(s) Products And Work You Performed Aggregate Limit For Certain General Liability

Coverages. The current CA 25 59–Designated Location(s) General Liability Aggregate Limit For Certain General Liability Coverages auto dealer endorsement provides a designated premises aggregate. This new auto dealer option complements it by providing a separate products and work performed aggregate for each location. CA 27 18 11 20–Automatic Insured Status For Newly Acquired Or Formed Limited Liability Companies–Other Than Covered Auto Coverages. In the various liability coverage parts (e.g., commercial general, electronic data, liquor and pollution), “Who is an insured” includes temporary Named Insured coverage for any newly acquired or formed organization, other than a partnership, joint venture or LLC. In 2019, liability endorsement options were introduced to add LLCs that the named insured newly acquires or forms, but subject to the same limitations applicable to other covered newly acquired or formed organizations. This new option accomplishes the same enhancement for auto dealers.

New coverage reductions CA 27 16–Exclusion–Cross Suits Liability For General Liability Coverages. Currently, there exists a CG 21 41–Exclusion–Intercompany Products Suits endorsement that excludes product liability lawsuits between general liability named insureds. This new auto dealer option eliminates lawsuits between named insureds for all “bodily injury,” “property damage” and “personal and advertising injury.” CA 27 15–Amendment Of Personal And Advertising Injury Definition– General Liability Coverages. This auto dealer option removes from “personal and advertising injury” any oral or written publication that violates a person’s right of privacy.

Auto dealers Six new unmanned aircraft (drone) endorsements have been added. A data breach exclusion is added to the coverage form and seven additional insured endorsements are revised for consistency with general liability endorsements.

Truckers CA 23 17–Truckers Uniform Intermodal Interchange Endorsement Form UIIE-1. This endorsement is revised to accommodate changes to the Uniform Intermodal Interchange and Facilities Access Agreement made by the Intermodal Association of America effective Oct. 1, 2018.

Miscellaneous CA 20 71–Auto Loan/Lease Gap Coverage. This endorsement is revised to address deferred lease or loan payments in a total loss settlement. CA 20 16–Mobile Homes Contents Coverage. This endorsement is revised to add a theft coverage option to the peril choices. Includes copyrighted material of Insurance Services Office Inc. with its permission. Copyright, Insurance Services Office Inc. 2019. Corbin is PIA Northeast’s director of research. PIA.ORG

Understand risk for great cybersecurity When you go for a hike at the Glacier National Park in Montana, you run the risk of having an encounter with an apex predator, the grizzly bear. The thought of coming face-to-face with a grizzly bear is frightening, yet thousands of people visit the park every year. Humans have learned that we can venture into the homes of grizzly bears safely if we take certain precautions. If you want to hike in the Glacier National Park, you need to start by thinking ahead and being prepared. This includes bringing the right equipment with you, doing your research about safety precautions at the park, and understanding the various risks that you might face, such as animal encounters, extreme weather or other natural occurrences. Once you’ve made these initial preparations, you still want to make sure you’re secure while at the park. This includes staying on the recommended trails and

SECURITY

JOE YETTO President, TAG Solutions

established camping areas; making sure food is secured and sealed away so you don’t attract the attention of unwanted visitors, and not bothering the wildlife, even though you just want to get one picture. Often times, a “just this once” situation is a risk you shouldn’t take. Assuming you’ve done all of the preparation and followed all of the safety guidelines, there’s still a chance you’ll encounter that grizzly bear, and if you do, you want to

Partnership Founded in 1901, Ohio Mutual has more than 100 years of experience in the insurance industry. With more than a century of successful history behind us, we retain the values upon which we were founded, while offering a broad array of industryleading products and cutting-edge technology. We are proud to offer products in Connecticut and four other New England states.

Members of our Local Team

2021 SILVER PARTNER

Susie Button

Chris Quinn

860.383.3007 sbutton@omig.com

419.405.7832 cquinn@omig.com

OHIO MUTUAL INSURANCE GROUP PIA.ORG

omig.com

make sure you’ve got another level of protection in bear spray. This aerosol pepper derivative creates a temporary incapacitating discomfort for grizzly bears if sprayed into their face and in most cases will allow the hiker to avoid being attacked by the giant bear. The bear spray is designed to protect you from specific risks in the event that you’re up against an aggressive predator like a grizzly bear. If you run the risk of being mauled by an angry grizzly bear, use the bear spray. This is an example of utilizing the proper protection mechanism based on the unique risk. It is imperative that you deploy the appropriate protective control(s) based on the actual risk with which you are faced. The same concept holds true in the digital world. There is a wide variety of cyber security controls, such as firewalls, anti-virus agents and data encryption technologies that are designed to protect organizations from different types of cyberthreats and vulnerabilities. There also are limited resources available (e.g., time, money and human capital) to implement cyber security controls properly, train employees how to use them and then maintain those controls going forward. Limited resources force us to be selective about which cyber security controls we choose to deploy. The decision to implement protective measures against cyber security threats should be entirely based on the desired level of overall risk reduction. It is hard to reduce the risks posed by cyber security threats if you do not have a clear understanding of a few things in advance. First, you must understand all the unique risk events. In other words, what are the bad things that could happen because of the cyberthreats and vulnerabilities that exist? Examples may include: • An unsuspecting employee falls victim to a crafty social engineering attack and accidently downloads malware that then propagates the network, encrypts all data and demands a ransom be paid in exchange for the decryption key. • A forgetful employee leaves his or her company laptop in the hotel room and it is lost forever. • A hacker successfully gains access to a public-facing server after cracking the password using brute force. Second, you must understand the likelihood of the occurring risk event. Consider industry trends, historical data (i.e., has this ever happened before?), existing controls already in place, and the unique business operations of the organization. Take the example of an employee losing a laptop, the company laptop may be lost, but now you must challenge yourself to determine how likely it is that this particular risk event will occur. An organization that has hundreds of traveling consultants is far more likely to have one of them lose a laptop compared to an organization that has employees who operate out of a single office location and does not permit mobile devices to leave the building. Third, you must understand the tangible and intangible impacts to the organization if the risk event occurs. Consider the ability to conduct normal

PROFESSIONAL INSURANCE AGENTS MAGAZINE

business operations, the health and safety of employees and customers, brand reputation, penalties or fines, and loss of revenue. Using the same example from above, what would be the impact to a company’s security level, public reputation, and revenue if an employee does lose that laptop? Understanding what bad things can happen, how likely it is that they will occur, and how painful it will be to deal with them are all critical pieces of knowledge to have before making a decision about what types of protective controls to spend your limited resources on. Remember, the goal is to reduce overall risk. Figure out what specific risk events are most likely to happen and will be extremely painful to deal with. Then decide what protective controls you should put in place to prevent those risk events from occurring. If you’re faced with a grizzly bear, you’re going to want that bear spray ready to protect yourself. Make sure the cyber security controls you invest in will address your actual risk as well. Yetto is president of TAG Solutions. Reach him at www.tagsolutions.com. To help agencies comply with various states’ cyber security regulations, PIA Management Services Inc., has partnered with TAG Solutions to offer an assessment and compliance program. See the PIA website (pia.org) for more information.

Insuring real estate? Think

Genatt Specialty

GENATT

SPECIALTY INSURANCE SERVICES

Our A+ admitted insurance carrier is among the best in the business with over 100 years of real estate experience. You can count on us to provide you with the best service and a quick turnaround.

• Apartment buildings • Condominiums • Cooperatives

• Hospitality • Office buildings

Contact Bob DelRosso (516) 387-3025 • Fax: (516) 622-3366 • BobD@genattspecialty.com

The industry’s largest regional event is getting even bigger— and going virtual. Trust us, you don’t want to miss it.

Save the date.

PIA northeast

Virtual Conference June 8-9, 2021

www.pia.org

Least privilege + zero trust = cybersecurity In a twist on that old saying about little kids: Firewalls are meant to be neither seen nor heard. They’re silent protectors and as such, they’re little short of remarkable, safeguarding insurance agencies and client data through all manner of tech wizardry, as cyberthreats morph and malign actors proliferate. Still, as recent history demonstrates, firewalls are far from impenetrable and, increasingly, are subject to workarounds that place agents, brokers and their organizations and clients at risk. What needs rethinking isn’t so much the firewall as an invisible protective shield as the presumption that everything nefarious occurs outside that barrier. While perceived threats and vulnerabilities exist in the wider world, truly effective security policies assume nothing. The conventional wisdom once held that everyone inside the network was trusted and everyone outside was not. But as reported in Software Strategies Blog, “stolen privileged access credentials are the leading cause of breaches today. Forrester [Research] found that 80% of data breaches are initiated using privileged credentials, and 66% of organizations still rely on manual methods to manage privileged accounts.” The newer, more enlightened paradigm for security is “more trusted” and “less trusted”—and that’s when the principles of zero trust and least privilege come into play. “Organizations must discard the old model of ‘trust but verify’ which relied on well-defined boundaries,” said Louis Columbus of the security firm Centrify. “Zero trust mandates a ‘never trust, always verify, enforce least privilege’ approach to privileged access, from inside or outside the network.” Per Forrester, zero trust architecture abolishes the idea of a trusted network inside a defined company perimeter. Zero trust mandates the creation of micro-perimeters of control around an insurance agency’s sensitive data assets and provides visibility into how it uses data across its ecosystem to win, serve, and retain clients. Under a zero trust regime, all applications are configured to challenge and encrypt, enabling any broker or insurance provider to build out its infrastructure around that concept. Zero trust, paired with multifactor authentication, has become the industrial strength option in today’s environment, which is why zero trust should be the linchpin of cloud best practices for any and every organization in the industry. In enlightened insurance agencies, the notion of least privilege applies to every employee. Encryption is the rule internally, and multifactor authentication to log into every networking component and storage system is mandated; no one can delete a snapshot or burrow into the firewall. The upside is clear:

PIA.ORG

RISKS

ADAM STERN Founder and CEO, Infinitely Virtual

since all user data is inside the network, there’s no need to sweat issues like internal encryption—the hosting provider already has handled it. And that extends to the rights conferred on users, including their ability to use home equipment on an office network or some permutation thereof, which has become standard operating procedure during COVID-19. In theory, every hosting provider ought to embrace this essential principle. The fact is, not everyone does. But, those who do embrace it benefit from the simple fact that no single actor can shut down the system, whether through error, carelessness or malicious intent. Vigilance, through smart policies and procedures, really does prevent outages.

Why aren’t least privilege and zero trust the new normal? There’s clearly a learning curve at play, along with perhaps some resistance to a notion that is both unfamiliar and, at first blush, counterintuitive—at least when the jargon is concerned. An implicit message of “trust no one” would appear to be something less than a confidence builder within the firm. It feels

binary—our team, the other team. Or as Robert De Niro put it in the movie Meet the Parents, you’re either inside the Circle of Trust or you’re on the outs. Except that in this case, there’s nothing personal about least privilege and zero trust. Quite the contrary, those inside the firewall are infinitely better off for the presence of these policies and here’s why: they’re designed to protect everyone. Insurance industry professionals—who, as a group are notorious for erring on the side of caution—have long wanted to limit network privileges based on the roles of those within that circle. They’re the ultimate enforcers of need-

We have the solutions YOU NEED 3,294

6,113 3,462 Ask PIA hits

assistance of PIA’s

Stern, Infinitely Virtual founder and CEO, is an entrepreneur who saw the value of virtualization years before the trend took hold. Founded in 2007, Infinitely Virtual helps businesses move from obsolete hardware investments to an IaaS cloud platform, providing the flexibility and scalability to transition applications and data from in-house to the cloud.

Industry Resource

“Ask PIA allows me to be the very best informed insurance advocate for my clients.”

207 MarketBase™ requests

Industry Resource Center

independent insurance

the investment.

QuickSource requests 116669 320

And, not a moment too soon.

for the professional,

Center alone is worth

9,418

but the personal

a wealth of benefits

contracts reviewed tool kit hits

agent or broker—

brings with it

As Gresham Harkless, blogger-inchief for CBNation puts it, “the zero trust model of network security has been … spurred on by the constant barrage of cyber threats that seem to continually break through traditional security measures.” Russell Walker, CISO for Mississippi’s Secretary of State, who recently told Cyber Security Hub that the game has changed, irrevocably, said “The perimeter in the traditional sense has disappeared. The network itself is no longer a static environment we can put barriers around, have a guard at the gate and say, ‘Now we are protected.’” He’s also right to underscore that zero trust and least privilege aren’t merely technologies and policies. They truly do involve changing the way IT staff and end-users think and approach their environment.

PIA membership

member inquiries

to-know. “What do you need to do your job?” is another way of saying that anyone can trip over gratuitous rights. Least privilege principles keep people in their lane for their own good, no matter how patronizing that may sound.

—Thom Ianniccari, CPIA Allan Twitty Insurance

www.pia.org (800) 424-4244 resourcecenter@pia.org

PROFESSIONAL INSURANCE AGENTS MAGAZINE

P I A

M E M B E R S

G E T

F I R S T

M O N T H

F R E E

Which would you buy? BASIC COMPETITION

OVERPRICED COMPETITION

$69

$400

High Cost & Hidden Fee's

Limited Features

Punishing Price Increases

Difﬁcult To Use

Full Features Cost More

Not Cloud Based Dated

Full Features Standard Intuitive With Free Training

Complex and Expensive Training They Sell Your Data

You Own Your Data True ACORD form intergration

Until now your choices for an agency management system were to pay less and get less or to pay too much for a full featured system. With Quikfuzion you can now get the premium features you want for the price of a basic system. Technology is supposed to make things easier and more cost efﬁcient. Quikfuzion is making that happen.

CALL 888-853-4758 TO SCHEDULE YOUR DEMO OR VISIT US ONLINE AT QUIKFUZION.COM

The human impact of a

DATA BREACH Better manage the potential reputational fallout of a cyberattack

emember not long ago when the word cyberattack was new to you? However, just like the words COVID-19 or pandemic now are part of our vocabulary, cyberattack—once a new concept—is now, unfortunately, a term we know well. And, other words such as data breach, cybersecurity, and hacking have become common household and business terms since the major breach in 2013 on the Target Corp. Since then, companies have expanded a basic understanding of cyber crime risk and prevention among internal departments, creating roles such as chief information officer or IT director. While most organizations have an information security plan in place to defend their data and infrastructure, they often aren’t as prepared to deal with the human consequences of an attack. We’ll address what steps to take when the next data breach does occur.

PROFESSIONAL INSURANCE AGENTS MAGAZINE

VIVIAN MARINELLI, PSY.D. Senior Director, Crisis Management Services, FEI Behavioral Health

PIA.ORG

Last year provided plenty of stress and uncertainty for all of us, including your clients. If you (or a bank or a credit card company) have to make a call to tell your clients that their personal information has been compromised, you can imagine how quickly the stress level will intensify. Cyberattacks can be stressful for victims, especially without advanced warning or time to prepare. It can affect victims at three levels: Corporations. When an agency’s sensitive information has been hacked, it ends up facing a lot of scrutiny. How could you let this happen? How does this impact the clients’ information? What are you going to do to fix this? The perception of the agency’s image will take a negative hit, especially in the media or with your customers. Employees. Employees, too, are affected on a personal level as the first line of response for customers after an attack. Updating your staff about the planned response and support that will be communicated to customers is imperative for your agency to regain trust, create a unified message and build a positive image. Keep in mind your employees’ personal information may have been breached as well. Customers. Often the hardest hit during an incident. Their sensitive information has been stolen, usually under circumstances completely beyond their control or knowledge. It can be a traumatic and fear-inducing experience. That means your agency must be ready to respond to and support each of the audiences in the days, weeks and months after a cyberattack. How to do that? It starts with a solid business continuity/disaster response plan. In a data breach situation, it will be your disaster response portion of the plan. The first step is identification of the breach. Once you have identified that an attack has occurred, you can begin to stop additional damages from happening. This involves a basic three-step approach for responding to a cybercrime: 1. Report the crime 2. Repair the damage 3. Prepare for re-victimization

Report the crime Reporting the crime is complicated. It not only involves notification to authorities but also, notification to customers. That is also when the human impact will start. This is when the most fear, anxiety and need of support will occur. Depending on the size of your organization, the need to activate a call center may be necessary to notify the various stakeholders of the organization. Having the information about how the breach was identified and reported to authorities might help lower anxiety and fear. Specifically, a good plan will outline a process for quickly assessing the scope of an attack’s potential personal impact. It also will detail how the company will assist its customers and employees through elements like: Set up a call center to assist customers. This might include an on- or off-site call center staffed by a crisis management provider, staff counselors, critical incident responders, and/or the human resource department. Many independent insurance agencies do not have the resources internally to support every victim of a cyberattack. Establishing relationships 22

PROFESSIONAL INSURANCE AGENTS MAGAZINE

with outside vendors for support beforehand is vital, especially for the onslaught of calls that will occur within the first 48 hours after news of the data breach goes public.

Repair the damage It is not uncommon for victims to run the gauntlet of anger, guilt, anxiety and fear of vulnerability after a data breach. These responses are understandable. An employee or customer whose data is stolen can spend years enduring the consequences. Remember, victims of cybercrime do not just lose a credit card or account passwords; they lose the sense of privacy and control over multiple aspects of their lives— from medical histories to Social Security numbers and identities— for an unknowable duration. Many times, a data security program will be offered to the victims for several years as a way to ensure no additional breaches occur. To help them, you should provide virtual or on-site counseling and support. An organization must act as an advocate for the victims. Remember, this is not their fault. Affected organizations should: Listen. You may be the first person to listen to what the victim is experiencing and feeling. Provide information. You need to be able to provide details on what information was breached, what you are doing to ensure their data is safeguarded going forward and, how you are supporting them at this time. Keep an open mind. Yes, the client or customer initially will blame the agency, but being proactive in reaching out and

being as transparent as possible will be most helpful during this difficult time. Normalize your customer’s feelings. Provide specific ways to help them decrease their sense of violation now and security in the future.

Prepare for re-victimization As with any crisis scenario, potential challenges will likely arise in the moment. In the case of a cybercrime—especially one on a newsattention-grabbing scale—these might include the need to manage media leaks and press; the need to communicate relevant information in a timely manner, with limited or no use of technology; and the need to quickly address an influx of questions and concerns from customers and employees—both current and former, so it is important to update your continuity plan to maintain business operations. Like any crisis plan, a cyberattack response plan is only as good as the training behind it. Most cyberattacks come from innocent-looking emails with attachments that get opened (i.e., phishing). These emails look like they are from someone you know, but actually are from hackers. Once a link is clicked, it opens the door for hackers to gain access to sensitive information. All employees should be educated on cyberthreats, so they increase their awareness and they can report anything that appears suspicious. Protocols to assist your customers and employees. The follow-up in the aftermath of a cyberbreach can be overwhelming for the victim. It also can be overwhelming for company staff. An employer-sponsored

Advertise with PIA Northeast Reach the insurance industry’s property/casualty segment

PIA Magazine • Gives readers power to grow their business in a competitive marketplace. • Single- and multi-state options available.

DIGITAL PIA.org

• 10-15,000 visits each month.

PIA digital news

• Distributed as a memberexclusive benefit.

• Drive traffic to your website.

Contact Susan Heath: sheath@pia.org, (800) 424‑4244, ext. 231

PIA.ORG

Employee Assistance Program can help employees in two ways. In the case of an internal breach, EAP counselors can connect staff to resources and guide them through the sense of loss and confusion by providing telephonic and face-to-face support. In an external or customer-facing breach, the employees themselves may need support after dealing with frustrated and frightened customers. An EAP can offer that extra in-person or telephonic group support in the form of a debriefing, which will allow employees to share their experience and concerns. It also will allow information to be shared from the organization on additional support and resources for the employees as they continue to work through the situation.

able link to employees to see if they click on it, and implement consequences when an employee leaves the agency open for a cyberattack. Cyber security training is not a one-time event or something that only applies to the IT Department. It should be treated as an ongoing process and include employees across the agency’s footprint.

Continue to communicate and update. The last point—ongoing updates and communication—cannot be stressed enough. In a culture reliant on technology for a steady flow of information, separation from a business’s network in a time of crisis can be disorienting and chaotic. It is difficult to send an all-customer email when the corporate email system is down or vulnerable. Instead, proactively establish communication protocols that rely on phone, text, social media (your Facebook page) or face-to-face interactions.

Attacks against information technology infrastructure have a devastating impact for businesses of any size. The operational repercussions extend beyond the agency’s walls to vendors, customers, partners and prospects. Following the above suggestions will help your agency stay resilient and better manage the potential reputational fallout a data breach can have on your organization.

Helping new hires to avoid pitfalls. As part of the onboarding process (or as a refresher for all staff), new employees should be warned to: • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. Be particularly wary of compressed or ZIP file attachments. • Avoid clicking directly on website links in emails. Instead, users should type the link directly in the browser’s search bar or attempt to verify web addresses independently (e.g., contact the organization’s help desk or search the internet for the main website of the organization or topic mentioned in the email). • Log off or use a screen saver when not in front of a computer. • Report any suspicious emails to your help desk or security office immediately. • Avoid unsecure Wi-Fi hotspots. If employees currently are working remotely, make sure they have a secure log in. Any time an employee connects to public Wi-Fi, the data on a company’s server is open for hacking. It goes without saying that airport and hotel Wi-Fi is another concern for employees who (used to) travel frequently. • Be smart about peer-to-peer file sharing. Sharing files via flash drive is akin to a college student sharing a drinking cup. Instead of spreading germs, the drives potentially spread viruses. • Avoid downloading software or apps from unknown sources. • Maintain good password integrity, with the option to change passwords regularly. • Be smart about laptops or mobile devices that float between systems and could, therefore, pick up viruses or compromise the system. After reviewing technology protocols with new hires, you need to provide learning opportunities for identifying potential threats. Send a mock-question-

PROFESSIONAL INSURANCE AGENTS MAGAZINE

FEI has a 40-year history in enhancing workforce resiliency by offering a full spectrum of solutions, from EAP and organizational development to workplace violence prevention and crisis management. For additional information, visit www.feinet.com. Marinelli provides consultation with customers on behavioral health as well as emergency preparedness, crisis response, and family assistance issues. She is experienced in the development of curriculum and training of FEI affiliates to serve as crisis support coordinators, and employees to act as peer support facilitators. She brings over 15 years of work in direct clinical services specializing in trauma and grief counseling to her position, which focuses on assisting individuals involved in critical incidents.

MATTHEW KLETZLI Management liability practice leader, Victor Insurance Managers Inc.

Technology scams in uncertain times

Watch out for these five examples

As remote working becomes more popular, businesses and their employees are at increased vulnerability to technology scams. This recent shift has created a perfect environment for cyberscammers and cybercriminals who are looking to take advantage of human behavior for their own personal or monetary gain. Whether employees are on their computers, tablets or mobile phones, everyone needs to be on guard. Here are five examples of technology scams that you and your clients could encounter, along with tips on ways to protect yourselves from these scams before they occur. No. 1: Phishing. Louise receives an email with the subject heading: “Important update” and/or “urgent,” with a link that directs her to a supposed Microsoft login page, which then prompts her to sign in to access critical information. This is a phishing email scam. The scammer wants to harvest Louise’s password and steal her money and identity. Such a scam can appear like it is coming from a recognized public health authority, government office, or even from a colleague, friend, or family member. Tip: Important information that is sent via email, in the form of an attachment with little or no message in the

body of the email, is likely a scam. If a public health organization wants you to be aware of important information, it will simply tell you in the body of the email or send you a letter by regular mail. Do not click on a link without first ensuring it is a valid address. Scammers are growing more sophisticated, and they can create convincing emails that trick us into taking action. Be wary of any emails or texts that you were not expecting to receive—especially those containing links and attachments from unknown or suspicious senders. If you are unsure if the email or text was sent by an individual or known company, contact that individual or company directly to verify that the message is real. No. 2: Ransomware. Henry browses the internet while on his company’s network and he visits an unrecognized website supposedly containing important information. He clicks on a link to this information, which then causes his company network to be infected with a ransomware virus—ultimately making his company’s network and data inaccessible. The virus also causes the company network and systems to crash. Now, no one at Henry’s

PIA.ORG

company is able to access their computer and systems, and they are faced with ransom demands. Tip: Ransomware has been called a rising problem for years, costing victims an excess of $3 trillion annually. While the attacks grow, including infecting backup systems, most rely on employee error to bypass security. Everyone has a role to play regarding prevention—and a good place to start is to be careful when surfing the internet and ensure that websites are legitimate and trusted sources. Pay attention to the domain name. Scammers may mimic known companies with small changes to the company’s official name (e.g., Amaz0n. com) to trick you. So, be sure to double check the website address bar to ensure accuracy first, before visiting a website. Also, before you enter any private information, ensure the website address is secure and uses encryption. It is always a good idea to check that the URL starts with “https” (ends with “s”) versus websites, which start with “http” (which is unsecure). Never enter personal information on websites that are unsecured. Some browsers such as Google, Firefox or MS Edge, may warn you of suspicious or unsecured websites. Look for grammar or spelling errors, which could be clues that a website was created quickly and is fraudulent. Legitimate companies have professional websites with grammatically sound content. To mitigate potential attacks to your computer network, also ensure you have intrusion detection, anti-virus and anti-theft software in place and practice regular backup protocols. Only use a secure Wi-Fi with security protection software in place. Don’t use open or publicly accessible Wi-Fi when working on your laptop or any other technology device. No. 3: Smishing. Jasmina receives a text message on her mobile phone from what appears to be an emergency response support agency, purporting to have sent her relief funds to assist her during a financial crisis. This is a texting scam called smishing. Tip: To protect yourself, be wary of text messages from unknown or suspicious senders. In fact, don’t click on any link unless you have a reasonable basis to trust it, or it is a well-known website of an established organization. If you are unsure if the website you are visiting is linked to an established or well-recognized organization, conduct research. Copy the link or website address of the organization in question directly into your web browser to ensure it is legitimate. If you were not expecting the text message, it is most likely not real and is an attempt to infect your mobile phone or device with a virus—again making your phone or device inaccessible. The text message also could be an attempt to access unauthorized sensitive information. Do not reply to the text message and delete it immediately. No. 4: Vishing. Luca receives a call on his phone, supposedly from his local government soliciting donations. As a business leader, he also may receive calls from scammers trying to exploit his vulnerability due to a financial fallout of the crisis by offering him first aid supplies or a bailout loan. Tip: This is a form of social-engineering fraud or scam called vishing, and it is a fraud tactic that tricks individuals into revealing financial or personal information. Do not reveal any personal or financial information to unsolicited callers. Hang up and call the organization or charity directly to verify the 26

PROFESSIONAL INSURANCE AGENTS MAGAZINE

validity of the call before providing any information. Taking this extra verification step will help to protect you from financial loss. In addition, ensure your employees are aware of these scams, so they can avoid them. However, if you’ve fallen victim to such a scam, contact your local anti-fraud center or the police. If you have a cyber liability policy in place, report this phone scam to your insurance company. No. 5: Hacking. Roger is working from home and he decides to respond to pressing client matters using his personal email in order to save time. Since his personal email is not encrypted, a hacker is able to access his emails and becomes privy to sensitive and confidential information. Now, the hacker is able to use this information to perpetrate identity theft against clients of Roger’s employer. As a result, his employer is faced with a potential third-party liability claim. Not only that, but the insurance company will not pay the claim as Roger was not using his company’s secure network while working. Tip: Only use secure corporate protected networks when working from home. Avoid using personal emails as they are outside your agency’s information technology department’s control, without the same stringent security protocols. Companies will customarily use virtual private networks, two-factor authentication and/or multifactor authentication, alongside additional security in order to access their networks securely. Personal emails may not only expose a person to man-in-the-middle scammers, but could unknowingly expose sensitive information in your emails that may be readily accessible to untrustworthy individuals (“bad

actors”) and/or scammers. Employees also may be violating company policy by using their personal email, which could invalidate an agency’s cyber security liability insurance policy, should a claim arise. Finally, in all circumstances, ensure that your user name and password(s) are not easy to figure out by a hacker. Update your passwords regularly and use passwords and user names that consist of a complex combination of letters, numbers and symbols. Avoid using common names and numbers (e.g., your name, birthday, 123).

When working remotely Now that a large portion of the workforce continues to work remotely, here are some additional tips that you and your employees should consider:

• Don’t copy work-related information to personal technology devices (e.g., personal phone, home computer or personal online storage). • Mute or shut down any digital assistants (e.g., Alexa or Google Home) since they are recording nearby conversations constantly. • Protect your privacy while video conferencing using platforms like Zoom or Skype by making the meeting private to avoid bad actors from barging in. Also, limit sharing capabilities to protect sensitive information. • Don’t let family members or friends use your company-provided equipment (e.g., laptop or mobile phone). • Don’t use personal email, file sharing sites, social media or other systems that are not approved and secured by your business. • Conduct regular security audits and tests on your computer and systems. • Implement a plan in case of a technology scam or cyberattack. • Make sure you (and your clients) have a comprehensive cyber liability coverage in place. The bottom line is that the trend toward working from home is expected to continue as companies realign their workforces to keep them safe and their businesses resilient. However, now is the time to be on the lookout for technology-related scams. Kletzli oversees the growth and development of Victor’s growing suite of management liability programs. He has over 25 years of commercial-lines insurance experience. Reach him at matt.kletzli@victorinsurance.com. Learn more about Victor at victorinsuranceus.com.

PIA.ORG

Employee Benefits for Insurance Agencies Let the PIA Members’ Choice group benefits program take care of your agency.

Medical Dental/vision LTD with Reliance Standard Term life with Reliance Standard

PIA’s curated programs for member agencies and brokerages feature carrier selection, flexible coverage, top-notch customer service, and claims assistance when you need it.

Get your quote today! (800) 424-4244 | memberservices@pia.org

UM/UIM: What’s your agency position? Consider the fact that a 2015 study—the most recent year for which data was available—indicated that 1 of every 8 cars on the road is not insured. That’s correct—13% of drivers nationwide are driving without coverage. In some states, that number is 1 in 5. This is despite the fact that in virtually all states, with possibly one or two exceptions, drivers are required to maintain some type of auto insurance. In that 2015 study, this correlated to 29.7 million uninsured people. What does this mean? If you or one of your clients is involved in an accident, there is a 1 in 8 chance that the other driver does not have insurance. Without the proper insurance, this can result in your customer paying for his or her own injuries or vehicle’s damages—or you paying if you are involved in such an accident. While going to court is an option, there is a better way that involves using one’s own automobile policy and the uninsured motorist coverage portion. The more common types of protection are: Uninsured motorist insurance. This coverage will pay the medical bills (for the driver and passengers) if one is involved in an accident with an uninsured at-fault motorist. UM insurance will reimburse for lost wages, and it also will provide coverage if one is hit as a pedestrian by an uninsured driver or is the victim of a hit-and-run accident. Underinsured motorist protection. This coverage applies when the at-fault driver has insufficient insurance to compensate the other party fully. Generally, it is defined as anyone who is at-fault and has bodily injury liability limits that are less than the UIM limits of the party not at fault, and the limits are not enough to cover the losses of those injured. With the significant potential that your agency could have a client involved in an accident with someone who either does not have insurance or does not have sufficient insurance, how is your agency handling this issue? This is an important issue, so it’s vital that your customers understand this coverage fully. The agency should ensure that the staff is educated on the topic, an official position is taken, and the appropriate procedures are developed. Without that education and established procedures, the following actual errors-and-omissions claim could happen in any agency: The underlying claim involved a drunk driver who struck the rear of the agency customer’s vehicle, injuring the husband and wife who were in

PIA.ORG

E&O

CURTIS M. PEARSALL, CPCU, CPIA

the front seats, and killing the daughter in the back seat. The insurance settlement from the at-fault party was insufficient and the plaintiff (agency client) brought legal action against the agency with which they were insured. They took the position that with respect to their own coverage, if the UIM limits are lower than the BI limits, the agency owed a duty to explain the coverage afforded by UIM and the agency was required to secure a rejection in writing of this coverage if the UIM limits were less than the BI limits. Recently, the clients had raised their limits to $500,000, but there was apparently no discussion of the UIM issue. In fact, it appears the agency did not have a specific procedure addressing UIM coverage in relation to BI coverage, and thus, there was no signed rejection of coverage required or completed. There are many lessons to be learned from this claim: Educate your customers. Undertake an initiative to educate your clients and prospects on the value and purpose of UM/UIM coverage. This education could involve a newsletter, blog, or some type of notice on your agency’s social-media

WEBINARS Dynamic CE Credit –Anywhere

platforms. If you would like to use an actual claim as an example to help make the point, one of your carriers can possibly provide you with one. On those occasions when you are personally meeting with the client, ensure that this topic gets more than just a cursory overview and mention. It would be prudent to see if your agency system can identify those clients who have UM/UIM limits less than their BI limits, so you can send them a letter encouraging them to consider increasing the UM/UIM limit. Establish a procedure. The agency should have had a stated procedure that the UM/UIM limits should be equal to the BI/PD limits. Some agents may contend that this coverage is expensive and it is likely the client is not going to buy it. The appropriate response to that line of thinking is this is not the agent’s decision to make. It is always highly suggested to provide the client with limit options. When an agency does that, it forces the customers to choose which option they want. Use a rejection form. Many states require the client to reject the higher limits through a carrier rejection form. Agents should ensure their clients are aware of what the requirement is in their states. In addition, the rejection form typically needs to be signed by all insureds, not just the first named insured.

PROFESSIONAL INSURANCE AGENTS MAGAZINE

Know your carriers’ coverage options. If your carriers allow the umbrella to provide excess coverage over the underlying UM/ UIM coverage limits and the client is carrying the proper underlying limits, advise the client of this option. UM/UIM is a serious issue and agents should be sure to treat it as such.

Your Clients are Getting Back to

Business

PIA's Monoline Workers’ Compensation Program is Here to Help As work environments shift and evolve, your PIA member-exclusive market access can entertain hundreds of class codes, offer a low minimum premium, and provide quick turnaround. Let our expertise and knowledge in the WC market work for you and your small-business clients. PIA’s NumberONE Comp market is now entertaining artisan classes, such as: • Landscape gardening—excluding hardscape • Plumbing NOC • Electrical wiring • Ceramic tile • Cabinet work installation • Concrete and cement work • Painting NOC—interior only

Other classes include offices, restaurants, beauty shops, retail stores, doctors/dentist offices, and more. In partnership with

(800) 424-4244 | memberservices@pia.org

We’ll Navigate Your

E&O Coverage

You Focus on Business

PIA is here to help you navigate through uncertain times, so let’s make sure you have great errors-and-omissions coverage at a competitive price.

Why PIA Is the Best Choice for E&O • Our professional liability and cyberliability programs are designed for your agency’s needs and risk exposures • Critical coverage options—especially important when many agents are working remotely • Top-rated, stable E&O carriers • Experience & expertise from our team

Get Your Quote Call (800) 424-4244, ext. 408 | Web www.pia.org

Audits policy language and privacy notices Business records subject to audit Q. One of our clients owns apartment buildings, and our agency writes the commercial general liability policy on these buildings. The insurance company wants to see copies of the contracts that our client has with its service companies. Is the insurance company within its rights? What can a company require—by way of business records—in connection with a premium audit? A. The company appears to be asking for records that may lie beyond the scope of its audit privileges under the policy conditions. The commercial general liability’s common policy conditions allow the company to “examine and audit your books and records as they relate to this policy at any time during the policy period and up to three years afterward.” At audit, the company has a right to examine records that would shed light on whether the risk is classified and rated properly. Apartment buildings are rated based on the number of apartment units. The company needs to justify its request to review your client’s service company contracts in terms of verifying the classification and the number of units involved or the existence of any exposure or exposures that need to be classified separately and rated under the rating exceptions listed in Note 6 to the classification table (e.g., indoor parking and swimming pools). A company’s audit privilege is not a license to conduct a fishing expedition through your client’s office. Your company needs to present a convincing argument that the records it requests are related to a legitimate line of inquiry. —Dan Corbin, CPCU, CIC, LUTC

Privacy notices–insurance agency responsibilities Q. An insurer sends out privacy notices to my clients. As an agency owner (producer, manager, compliance officer), should I send agency-specific privacy notices, too? A. Usually, yes. As a “financial institution” under the Gramm-Leach-Bliley Act (and similar regulations adopted by the various states), an insurer sends out privacy notices that pertain to the insurer’s information collection and dissemination policies. This is sent at the time of the commencement of the business relationship (when the policy is bound) and annually thereafter.

ASK PIA

PIA TECHNICAL STAFF Have a question? Ask PIA at resourcecenter@pia.org

generally you are required to send GLBA or state-mandated notices. There are exclusions to this requirement—if you are acting as the agent of a principal (such as an insurer) and do not share a customer’s information with anyone else, your privacy notice requirements may be satisfied by adopting and distributing the insurer’s notices. However, this is a narrow exclusion and has the potential to leave even a cautious agent open to liability. If you share a consumer’s information with any other nonaffiliated third-party business, you must begin the process of establishing and sending privacy notices. It can be difficult to foresee a future need to enter into a business relationship with a nonaffiliated company that may require access to customer data. It can be tricky to determine if a third-party business is “affiliated” with the (insurer) principal. Because of these factors, PIA recommends that agencies create and distribute their own privacy notices to know that they are covered right now and in the future, regardless of business changes. For information and guidance on the relevant state regulations and assistance in generating your notices, see PIA’s Privacy Compliance Central (pia .org / I RC/pr ivac y).— C l ar e Irvine, Esq.

As an insurance producer, you also are considered a financial institution, and PIA.ORG

Design+Print PIA Design & Print offers a one-of-a-kind relationship between you, your brand, and our diligent, creative and unique team of hardworking professionals whose top priority is building your business. You are important to us—let us show you! Contact Design & Print today to make the most of your business.

(800) 424-4244 | design.print@pia.org | pia.org/design&print