2022 February PIA Connecticut by PIA Northeast

February 2022• Connecticut

PAGE 20

PROTECT your clients’

PERSONAL

INFORMATION

Cybercriminals are targeting the insurance industry

IN THIS ISSUE 9

Who’s liable for a website’s content?

Avoid a false sense of (cyber)security

Agents’ cyber risk coverage factors

Cut Down On Potential Issues Ensure your small business customers are protected with a Workers’ Compensation policy from The Concord Group

COMING IN 2022! The Concord Group will be introducing our new Workers’ Compensation coverage that includes competitive commission and a Paid in Full Discount*.

Find out more at concordgroupinsurance.com *available in applicable states

DEPARTMENTS February 2022 • Connecticut

In brief

Legal

Sales

E&O

Ask PIA

Readers’ service and advertising index

Officers and directors directory

COVER STORY 20 Protect your clients’ personal information Cybercriminals are targeting the insurance industry

FEATURE 27 How secure is your agency’s data? Think beyond traditional forms of defense

Statements of fact and opinion in PIA Magazine are the responsibility of the authors alone and do not imply an opinion on the part of the officers or the members of the Professional Insurance Agents. Participation in PIA events, activities, and/or publications is available on a nondiscriminatory basis and does not reflect PIA endorsement of the products and/or services. President and CEO Jeff Parmenter, CPCU, ARM; Executive Director Kelly K. Norris, CAE; Communications Director Katherine Morra; Senior Magazine Designer Sue Jacobsen; Editor-In-Chief Jaye Czupryna; Advertising Sales Executive Susan Heath; Communications Department contributors: Athena Cancio, David Cayole, Alexandra Chouinard, Patricia Corlett, Darel Cramer, Roberta Lawrence, Crystal Ringler and Calley Rupp. Postmaster: Send address changes to: Professional Insurance Agents Magazine, 25 Chamberlain St., Glenmont, NY 12077-0997. “Professional Insurance Agents” (USPS 913-400) is published monthly by PIA Management Services Inc., except for a combined July/August issue. Subscription rate for members is $13 per year, which is included in the dues; subscription rate for nonmembers is $25 per year. Professional Insurance Agents, 25 Chamberlain St., P.O. Box 997, Glenmont, NY 12077-0997; (518) 434-3111 or toll-free (800) 424-4244; email pia@pia.org; World Wide Web address: pia.org. Periodical postage paid at Glenmont, N.Y., and additional mailing offices. ©2022 Professional Insurance Agents. All rights reserved. No material within this publication may be reproduced—in whole or in part—without the express written consent of the publisher.

COVER DESIGN Roberta Lawrence Vol. 66, No. 2 February 2022

IN BRIEF

FYI

Cybersecurity and the agency contract Bradford J. Lachut, Esq., director of government & industry affairs, PIA Northeast

Usually during a contract review, a producer is concerned about ownership of expirations; commission schedules; or maybe even the agency’s status as an independent contractor. These are all important clauses in any agency agreement and should be reviewed thoroughly. However, producers also need to pay attention to the cyber security provisions clauses in their agency contracts. Read your contracts carefully Carriers often will revise their agency contracts, and they will include in the terms of that agreement a privacy/ cyber security compliance clause that would require any agency that agrees to the terms of the contract to adopt cyber security/privacy protections beyond those that are required by a state (e.g., Connecticut and New York). Specifically, under the terms of these types of clauses, producers could be required to train their employees regarding information security and the protection of sensitive personal information, or SPI—such as, Social Security numbers, driver’s license numbers, credit-card numbers and financial account information. In addition, producers could be required to encrypt all SPI when they transmit or send it wirelessly or across public networks; or store it on portable devices and storage media. Can you guess how many of the previously mentioned requirements your agency would have to comply with if it qualified for the limited exemption under the New York state cybersecurity regulation? If you answered, “all of them,” you’re missing the point of article. Actually—with a limited exemption qualification—you wouldn’t have to comply with any of the requirements. That’s right zero.

The same is true of an agency contract. Maybe carriers might not really care about your protection of SPI, but they certainly care about you being licensed or knowing that you are required to notify them of potential claims. If you hadn’t complied with the privacy/cyber security compliance clause, what guarantee is there that you complied with any other provision in the contract? Noncompliance with a cyber security provision also can be expensive for an agency. The most likely way an insurance agency could be found to have been noncompliant with cyber security requirements is when a data breach occurs. This is an expensive proposition for an agency. It could involve hiring information technology experts to figure out how the breach occurred and compensating the policyholders whose information was compromised— and those are just two possible expenses. Of course, it doesn’t end there.

The moral of this story: Just because you think you are complying with state law, it does not mean you are complying with the terms of your agency contracts. Reading the fine print of your agency agreements is extremely important. [EDITOR’S NOTE: Don’t want to read the fine print? PIA will do it for you! Another benefit of PIA Northeast membership.]

Indemnification or hold-harmless clause Most, if not all, agency agreements contain an indemnification or hold-harmless clause. Under the terms of this clause, an agency that was negligent in protecting SPI could be liable not only for its own damages and expenses, but for the damages and expenses a carrier incurred because of the negligent acts by the agency.

What about noncompliance? The next part of the discussion: What happens if you are in noncompliance with an agency contract? Best-case scenario is that nothing comes from it. Realistically, this is unlikely to be the case. At times like this, it’s best to remember the band Van Halen.

Is it guaranteed that huge bills and a terminated agency agreement will follow if you fail to adhere to the cyber security clause that is in your agreement? Of course not. But, why risk the future of your agency when help is only a phone call or email away.

In the legal world, Van Halen is famous for “the M&M’S rider.” In Van Halen’s standard performance contract, 4

there was a provision that called for concert venues to provide the band with snacks backstage, including a bowl of M&M’S, from which all the brown candies were required to be removed. Of course, everyone assumed this was just typical rock-band ego, another example of superstardom gone to the band members’ heads. Maybe it was. But, that provision was there for a practical purpose: To determine if the concert providers actually read the contract the band provided them or whether they just signed it without a second look. If they didn’t read the provision about the M&M’S, what guarantee was there that they read all the safety requirements contained in that same contract?

If you’ d like PIA Northeast to review your agency contract with an insurance carrier, contact the PIA Industry Resource Center at (800) 424-4244 or resourcecenter@pia.org.

PROFESSIONAL INSURANCE AGENTS MAGAZINE

BY THE NUMBERS

Cryptocurrency trends People and businesses across the globe have shown an increased interest in cryptocurrency as a viable currency and a possible investment strategy. Are you using—or have you considered using—cryptocurrency at your agency? Have clients contacted your agency to ask about the insurance coverages available to protect cryptocurrency, and the possible risks associated with investing in it? HERE IS WHAT YOU NEED TO KNOW.

What is cryptocurrency?

A growing market

Cryptocurrency is digital, encrypted, decentralized currency that has no authority that manages or maintains its value.

48%

CRYPTOGRAPHY is used to make counterfeiting cryptocurrency nearly impossible.

OF DAILY ONLINE TRANSACTIONS $6 are made with Bitcoin. BILLION

BITCOIN, DOGECOIN, PEERCOIN, NAMECOIN and ETHEREUM all are types of cryptocurrency.

Only VISA CARD ($30.3 BILLION) and MASTERCARD ($16.2 BILLION) exceed these daily sales.

Value of all cryptocurrencies combined:

$1.8 TRILLION

OF CRYPTOCURRENCY SALES took place in the U.S. in 2020—the highest in the world.

As of 2021, there are more than

What are the risks when investing?

4,000

CRYPTOCURRENCIES.

THE MARKET IS UNSTABLE—the value of cryptocurrency fluctuates constantly. CRYPTOCURRENCY IS NOT REGULATED by any government or financial institution. CRYPTOJACKING: The unauthorized mining (or purchase) of cryptocurrency from someone else’s computer. • A new cyberthreat • 25% of businesses are estimated to have been cryptojack victims. • Cryptojacking starts with a malicious link, usually sent via email.

Advice for clients who are looking to invest in cryptocurrency.

Something to consider: As the market continues to grow, and cryptocurrency gains prevalence, maybe it’s time to consider accepting cryptocurrency as a valid form of payment at your agency.

4.2%

Insurance coverage for cryptocurrency COVERS ONLY ABOUT 4.2% OF THE VALUE OF THE MARKET

Ultimately, INVESTING IN CRYPTOCURRENCY IS A GAMBLE. Currently, there isn’t enough insurance to account for its market. However, it is growing—which could prove lucrative for you and your business in the coming years. PIA.ORG

NEWS TO USE

Do you need an upgrade? By default, Windows 10 updates your operating system automatically. However, if your agency’s computer system is running older software, or if you have software from a different company (your agency management system, your email program, your internet browser), you and your staff members may need to run these updates as they are distributed. However, don’t these updates always seem to come at the wrong time? What would happen if you ignored or postponed it just once? Would it be a bad idea to let a few updates go by before you installed the latest version? In a word, “Yes.” The companies that designed these programs examine them constantly, looking for bugs and security issues and writing programs to fix these issues. It’s up to you to make sure the most current version of the program runs on your computer. If you don’t, your computer system could be vulnerable to attacks from outside sources. The next time you update your computer’s software and see the updates message, click on it to review all the updates that occurred. You will see phrases such as, “malicious software removal tool” and “security update” for all your computer’s programs. The same rule of thumb applies for software version updates. When a company announces it will unveil a new version of its web browser it’s a good idea to keep up with those updates, too. A browser is just a browser, right? It’s easy to get comfortable with what you know. Sometimes, the change a company makes to a product’s appearance can leave people scratching their heads and saying, “Where did that feature go?” In fact, sometimes a change does not go over well, and a company needs to backtrack and start again. However, staying put is not an option with technology and software. Individuals who stay with an outdated version of a computer program put themselves in jeopardy for a potentially serious computer breach. For example, Google Chrome, a web browser, released version 97 in January 2022. Older versions—such as Chrome 88, which is no longer being supported by Google—are known to be less stable and are more likely to crash a computer. Who has time to reboot a computer during a busy workday? As websites become more sophisticated and utilize more images, programming scripts and other resources, older versions of web browsers lack the capability to keep up, which slows them down and causes them to freeze.

They are more vulnerable to viruses, spyware, malware and other security issues. Eventually, companies stop creating patches for older versions of software. Did you know that Microsoft ended support for Internet Explorer 11 across its Microsoft 365 apps and services in August 2021? What does that mean? If a computer isn’t running a version of Microsoft Edge, software and security patches are not being developed and hackers are known to exploit this weakness. This can expose independent agencies to data breaches and liability lawsuits. On the other hand, newer web browsers will update automatically or launch a notice that a software update is available, so a user doesn’t have to worry about whether his or her software is current. Updates can make a program run faster. Cyber liability protection In addition to keeping your software updated, another step you can take to protect your agency from cyberthreats is to make sure it has a cyber liability insurance policy. This type of policy can cover data breach/privacy crisis management; multimedia/media liability; extortion liability; and network security. Does your agency need a cyber liability insurance policy? PIA Northeast offers several products to its members. Agents interested in this coverage should call PIA at (800) 424-4244 or visit pia.org. Added benefits With the development of smartphones, tablets and other devices, a company’s website needs to be versatile for myriad platforms. Web designers need to decide how many versions of each of the popular web browsers they will support with their websites. If someone hasn’t updated his or her web browser in a while, the information on the website might not load properly and information will drop off the web page. For example, your PIA website is supported by any modern web browser, so images will drop out and the website won’t function properly for users with older web browser versions. Say yes to the update So, when you are setting up your new computer, make sure the automatic update feature is enabled—and check periodically to make sure it’s still enabled. Or if you get a notice from one of the companies with which you do business, take the time to run the update. That way you’ll know your computer is running to the best of its ability and you have taken the first steps to protect your and your clients’ information.

PROFESSIONAL INSURANCE AGENTS MAGAZINE

You’ll like us because there’s nobody like us.

[

Workers Compensation Insurance • No volume requirements • Competitive rates • Multiple options for premium payments • Open to Shock Loss/High Mods Send in your submissions today. For more information contact a marketing rep at 844-761-8400 or email us at Sales@Omahanational.com. Coverage in: AZ • CA • CT • GA • IL • NE • NJ • NY • PA Omaha National Underwriters, LLC is an MGA licensed to do business in the state of California. License No. 078229. Coverage is provided by Preferred Professional Insurance Company. Coverage may not be available in all states.

Smart. Different. Better.

We're here to help you move your agency forward. Local expertise, national scale.

Talk to your territory manager or find one at LibertyMutualGroup.com/Business and Safeco.com/Agent-Resources

Who’s liable for a website’s content? In New York state in 1995, a Nassau County Supreme Court judge held Prodigy—a company that once ran online bulletin boards—liable as a publisher for content posted by an anonymous user who claimed the securities investment firm Stratton Oakmont and Stratton’s president, Daniel Porush, had committed criminal and fraudulent acts.1 Other posts cited in the lawsuit were comments that Porush would soon “be a proven criminal,” and Stratton was a “cult of brokers who either lie for a living or get fired.”2 The decision in Stratton Oakmont v. Prodigy Services Co., focused on the issue of whether Prodigy qualified as a publisher liable for the content posted by users on the bulletin boards and the role of the moderator of the specific board.

The decision that a company moderating an online messaging board could be held liable for the content sent off alarm bells across the country—including the halls of Congress. In 1996, Congress passed the Communications Decency Act. Section 230 of the act created a federal statute explicitly protecting interactive computer service companies from liability for third-party

LEGAL

CLARE IRVINE, ESQ. Government affairs counsel, PIA Northeast

Commercial Auto & Garage Risks Like Yours Need An Ally Like Lancer Any number of events can threaten your clients’ day-to-day operations. That is why we offer affordable Commercial Auto and Garage Liability coverages* to help protect them from the risks they face, with the backing of a team that knows the industry inside and out. Our risk appetite includes: • Contractor Vehicles • Service Vans • Box Trucks • Pickups • Light Trucks

• Tow Trucks • Mobile Equipment • Auto & Truck Repair Shops • Body & Fender Shops

• • • • •

Transmission Shops Used Car Dealers Parking Garages Service Stations And more!

Writing in NY, NJ, PA and CT! Obtain quotes online or contact us today at 516-431-9191 x3507 or producer@lancerinsurance.com

www.lancerinsurance.com * Please contact us for a list of available products and coverages by state.

PIA.ORG

content posted on their website. The limits on liability extend to service companies that do moderate content, allowing websites to monitor and remove harmful content without exposing themselves to liability for all content posted on the website.

Limiting liability and innovation Limiting liability for companies has long been available with the intent of encouraging innovation and risk taking. Most insurance agencies have been structured to limit the liability of the owner(s) of the agency. This protects the agency owners’ personal property in the event of a major errors-and-omissions claim against the agency. By limiting the liability to the agency for such a

Try Us, You’ll like Working With

The Best Restaurant, Bar & Tavern Program With The Best-In-Class Service & Reliability EverGuard, an acknowledged Restaurant, Bar & Tavern market leader with 40+ years’ experience has the best-inclass package policy to service your clients. Make 2022 the year you can set aside those non-renewals due to programs leaving the RBT market. Our continued longevity offering an uninterrupted market assures you will receive the best product underwritten by an A.M. Best “A” rated carrier without program interruptions. EverGuard’s respected reputation in the RBT market speaks to our stability and reliability to provide industry leading response time and customer service to our partner agencies. EverGuard offers a long-term partnership for your RBT business. • • • • • • • •

Exceptional service is an EverGuard priority Package Policy, Property, GL & Liquor Liability A&B available No limit on alcohol sales Entertainment considered Workers’ Comp is available Experienced & Professional Staff Fast turnaround quoting

EverGuard Insurance Services 1900 W. Nickerson St., Seattle, WA 98119

Michael Maher EverGuard Insurance Services VP, Business Development Michael@everguardins.com 206.957.6576 everguardins.com

EverGuard does not offer or solicit the program in the states of New Hampshire, Connecticut or Vermont.

PROFESSIONAL INSURANCE AGENTS MAGAZINE

claim, owners can take more business risks and innovate. However, these limits are not absolute and can be pierced when a court finds it necessary to do so. In 1996, it made sense to limit the liability of internet companies for the content posted by users. By the time Stratton Oakmont filed its lawsuit against Prodigy, about 60,000 messages were being posted on the various message boards run by the company each day.3 At this time, companies may have monitored and removed offensive content, but they lacked the capabilities to edit every post. Had liability not been narrowed, innovation would surely have been greatly limited by the potential costs associated with such liability standards. The companies that were founded after Section 230 went into effect were encouraged by the law to move fast and break things. Google was incorporated in 1998 and Facebook was created in 2004. In 2005, both YouTube and Reddit were founded with Twitter following in 2006. For companies founded prior to Section 230 (e.g., Amazon and eBay), the reduction in liability allowed for greater opportunities when expanding. Beyond shielding companies from potential liability for defamatory comments posted by third-parties, they also have been protected from liability for content violating someone’s intellectual property rights.

Broken things Sen. Ron Wyden, D-Ore.—one of the sponsors who introduced Section 230—described it as “a sword and a shield” for companies with online platforms, designed to both help shield start-ups from liability while giving cover for major companies to

monitor platforms.4 Yet, such strong immunity from liability effectively has given an incredible amount of power to major corporations that care primarily about generating as much revenue and value for their shareholders. From designing algorithms that drive people to more extreme content, to determining who to remove from their platform, the actions of major internet companies have put Section 230 into the focus of many lawmakers. Some of the immunity has been curtailed by limited exceptions aimed at the specific issue of sex trafficking. President Donald J. Trump signed legislation5 to expand the options of prosecutors looking to hold companies liable for websites that act as third parties for traffickers and to remove the Section 230 shield from liability for such content.6 The legislation had massive bipartisan support, but internet companies warned that chipping away at the legal shield for content on their platforms would reduce growth and innovation. Sen. Wyden—one of the two senators who voted against the legislation—said on the Senate floor that it would disproportionately harm small companies, especially start-ups, which do not have the resources and legal departments to defend themselves.7 A bigger, more complex concern comes from free-speech advocates. A question about social media—specifically Twitter—arose in federal court in 2017 after Trump blocked several parties from accessing his posts. Due to the public nature of the account, the judge compared the account to a public park and held that the president could not block citizens from accessing and interacting with his account.8 Now, that specific issue has been rendered somewhat histor-

WEBINARS Dynamic CE Credit –Anywhere

PIA.ORG

ical as Twitter removed Trump from the platform altogether, asserting that the account violated the company’s policies for the platform.9 This lays bare the tension between allowing companies to monitor and moderate content on their platforms that have grown to the size of public forums for First Amendment purposes. Section 230 also presumes companies have an interest in moderating content by allowing them to do so without facing liability for potentially offensive or illegal posts not taken down. In recent years, it has become increasingly clear that many major companies may have written policies regarding offensive or illegal posts, but they do not have a strong interest in enforcing them. Facebook conducted an internal study about how its algorithms affect what content people interact with and how it affected them. Users were more attracted to divisive content, so the company increased how much of this content they saw to keep users on the platform longer. The more the users interacted with such content, the more of it they saw on their feed—and the more time they spent on Facebook. It had the effect of driving people apart and increased the extreme content on the site.10 Ultimately, top executives effectively ignored the research. Reasons, including freedom-of-speech arguments, could be made about what people post on the platform, but Facebook’s problem spirals into how it controls what people see on the website. For Facebook and most internet companies, the primary motive behind all such decisions has been making a profit with content moderation a low priority.

What next? The way people interact with each other has changed dramatically since Section 230 of the Communications Decency Act went into effect in 1996, and gave online platforms the freedom of liability that enabled great growth. With such change, is it time to reevaluate such broad immunity for online platforms, or consider other ways to balance out the competing interests of Americans? Several proposals have been introduced in Congress this session to reduce the Section 230 immunity—from stripping companies that distribute paid advertisements of the protections, to allowing individuals to sue a company when they allege that a platform amplifies content from terrorists.11

Sen. Mark Warner, D-Va., summarized the efforts as trying to “narrowly draw some exceptions to 230 in a way that doesn’t interfere with your free speech rights.”12 With all the proposals come a multitude of other issues and concerns that make real reform challenging, partly because the platforms have grown far more complicated in the last 25 years. No proposed changes have gained traction, but reforming the law remains a priority of many lawmakers. Irvine is PIA Northeast’s government affairs counsel. Stratton Oakmont may sound familiar. Its rise and fall was portrayed in the 2013 movie, Wolf of Wall Street. Daniel Porush was portrayed by Jonah Hill, although the character’s name was changed.

Porush was not proven a criminal in court—he simply pled guilty and served 39 months in federal prison.

Stratton Oakmont Inc. v. Prodigy Services Company; Supreme Court, Nassau County, NY. May 24, 1995 (bit.ly/3ydzDMV)

Vox/Record, 2019 (bit.ly/3EKK113)

New York Times, 2018 (nyti.ms/3J9RFEH)

New York Times, 2018 (nyti.ms/3lUilQ2) 6

Ibid.

New York Times, 2019 (nyti.ms/3rVnD1f)

Reuters, 2021 (reut.rs/3DJlyIe)

Wall Street Journal, 2020 (on.wsj.com/3dW1hEV) 10

New York Times, 2021 (nyti.ms/3yf470Q )

Design+Print (800) 424-4244 | design.print@pia.org | pia.org/design&print

PROFESSIONAL INSURANCE AGENTS MAGAZINE

Ibid.

66% of all Small Business suffered at least ONE Ransomware Attack in the past 12 Months

     

WANT TO LEARN MORE? HAVE A QUESTION? NEED IMMEDIATE HELP?

safeguarding your data

DIREC T: 909-719-0282 | EMAIL: YIGAL@2SECURE.BIZ | WWW.2SECURE.BIZ

Has your cluster lost its luster? Alpha Northeast can bring it back. Partnering with us means that you can grow your business and continue doing what you do best. And, we’re an affiliate of the nation’s second largest insurance agency network, ISU Insurance Agency Network—so you’ll get to work with some of the best regional and national carriers around.

When you combine forces with us: You’ll be eligible for a 100% commission payout from noncontracted carriers and profit share from first dollar. You’ll have access to the top national and regional carriers. You’ll have greater opportunity to maximize the benefit of networking with other agencies—which means more underwriting clout and increased profit share. If you choose to leave the network, you’ll face zero penalty—but we bet you’ll stay.

With Alpha Northeast, your agency will shine brighter than ever. And let’s be honest—you deserve it.

www.isu-alphane.com

Get back to basics and increase sales this year In any field, the greatest individuals are the ones who are great at the basics. Vince Lombardi, the great Green Bay Packers coach, said football comes down to two things: blocking on offense and tackling on defense— and his great Packer teams spent 80% of their time in practice on drills that honed those skills. Red Auerbach, who coached the Boston Celtics to eight consecutive championships, had his players practice free-throws and shots from short distances repeatedly. Bruce Lee, Pavarotti, Tiger Woods, and all the other greats know the importance of focusing on and mastering the basics to be successful. The same is true in selling. When it comes to sales and selling, there are five basic principles to follow that, ultimately, lead to sales success. No. 1: Have a daily plan and get that plan done. In addition to annual, monthly and weekly goals, you need a goal and plan for daily activity. How many sales, proposals, and prospects do you need and how many calls and contacts do you need to make each day to reach those goals? Whatever that goal is, your objective is to not only hit it, but to exceed it—even if it’s only by one or two calls. By the way, you should be prospecting every day. It keeps you sharp and consistent. No. 2: Spend 80% (or more) of your prime hours on key sales activities. The three activities you should be spending most of your time on during the workday are: prospecting, presenting and closing. That’s it. Everything else should be delegated or done during off-hours. Yes, things will come up during the day that you need to handle. That said, if you’re focused on these three activities and adamant that you will do as much of them during the workday— avoiding procrastination and other time wasters—you’ll rarely have to worry about your sales numbers. Remember: Sales is a numbers game. Yes, relationships and the quality or those relationships are important, but to have the number of relationships you need, you must talk to a lot of people. It’s simple, the more people you talk to, the more business you will do. If you talk to enough people during the day, you’ll eventually run into someone who says, “I need what you have,” or “I know someone who needs what you have.” No. 3: Get great at selling. After spending time on key activities, and making enough calls on qualified prospects, developing great sales skills is the second most important principle. If you are highly skilled and know what to say and do in all sales situations, your sales will skyrocket—assuming you’re making the necessary calls. The better you know how to get to prospects, get their PIA.ORG

attention and keep it, match solutions, listen, present, handle objections, close, etc., the more effective you’ll be and the more sales you’ll make.

SALES

JOHN CHAPIN President, Complete Selling

The fastest way to get great at selling is to: 1. make sales a study; and 2. do what the top salespeople do. Become a student of selling, be a sponge, read, listen to, and watch anything you can about selling. The fastest way to get great at selling is to: 1. make sales a study; and 2. do what the top salespeople do. Become a student of selling, be a sponge, read, listen to, and watch anything you can about selling. Invest in good books, audio programs or other courses, from actual top salespeople and trainers who have been there, done that, and go through the material thoroughly. Next, find the top salespeople in your company, your industry, and in other industries. Call them on the phone, email 15

them, or otherwise get in touch with them and ask them what makes them successful. It’s simple, if you do the same things as top salespeople, you will get the same results. No. 4: Get back to personal communication and build relationships. In-person still is the best way to contact people and stay in touch. With all the technology at our disposal there can be a tendency to use it too much. In-person communication has been replaced by emails, text messages, video conferencing, and other less-personal communication. Make more in-person cold calls and visits to customers to say hello, drop off the proposal instead of mailing or emailing it, and to follow up in person instead of trading voice messages. You also should be sending hand-written thank-you notes, birthday cards, holiday cards, and anniversary cards. Your objective is to have more personal contact at a time when your competitors are calling less and being less personal. At the end of the day, it’s all about people and relationships. You must connect with people on a personal level and stay in communication and continue to build the relationship. No. 5: Work hard and smart. We talked a bit about working smart when we talked about finding the top salespeople and doing what they do. Success leaves clues. You don’t want to reinvent the wheel and you don’t have to, simply find out what makes the top salespeople the top salespeople and do what they do. You also want to use best practices in your industry. Look for ways to work more efficiently.

calls and work more hours to find the prospects and make the sales. In addition, you must work hard on your mental attitude, on keeping negatives out, on staying motivated, on building your network, and on everything else that your selling career involves every day. Chapin is a motivational sales speaker, coach and trainer. For his free eBook: 30 Ideas to Double Sales and his monthly articles, or to have him speak at your next event, go to www.completeselling.com. He has over 34 years of sales experience as a No. 1 sales representative and he is the author of the 2010 sales book of the year Sales Encyclopedia (Axiom Book Awards). Reach him at johnchapin@completeselling.com.

112488 815

In addition to working smart, you must work hard. It takes time to make the necessary initial calls and follow-up calls. You may have to make more

When disaster strikes, we’re here for you and your clients. We help clients recover their homes and businesses. And we help you retain your relationships. Water damage restoration Fire/smoke and soot Mold remediation Moving and storage Contents cleaning HVAC and duct Odor removal 16

ser

v i c e s o f c T, i N c .

Norwalk office:

Danbury office:

West Hartford office:

3 Duke Place South Norwalk, CT 06854

29 Starr Road Danbury, CT 06810

635 New Park Ave., Ste. 3A West Hartford, CT 06110

(800) 442-7978 Toll free (203) 853-6524 fax

(203) 743-3103 Phone (203) 853-6524 fax

(860) 231-7900 Phone

PROFESSIONAL INSURANCE AGENTS MAGAZINE

Company

Brooks is proud to support Professional Insurance Agents (PIA) and Wholesale & Specialty Insurance Association (WSIA). Since its founding in 1991, Brooks Insurance Agency has successfully serviced the standard markets and brokered distressed and complex lines of business. We are here to help agents find the coverage their clients need. We represent 80+ quality carriers, including several new and exciting markets, across the country. Plus, a broad array of products and services in admitted and non-admitted markets. MARKET STRENGTHS AND EXPERTISE • • • •

Broad market reach High-touch broker specialists Easy, online quoting process Collective approach to complex insurance needs

BROOKS IS HERE FOR YOU. How can we help you? Call us at 732.972.0600 or email us at info@brooks-ins.com.

Brooks Insurance Agency | A Venbrook Company • 70 Bridge Plaza Drive, Manalapan, NJ 07726 • Tel: 732.972.0600 • Fax: 732.591.8785 • brooks-ins.com Brooks Group Insurance Agency, LLC | NJ License 1575143 • Brooks Insurance Agency of NY LTD | NY License 822541 • Brooks Insurance Agency, Inc. | NJ License 9352411 © 2021 Brooks Insurance Agency, LLC is a wholly-owned subsidiary of Venbrook Group, LLC. All Rights Reserved.

•

OVER

•

Providing exceptional personalized service to the premium finance industry since 1965.

OF INSURANCE PREMIUM FINANCING

Insurance Premium Financing with Unparalleled Payment Options ✔ Credit cards for a flat $7.95 fee ✔ Debit cards for a flat $3.50 fee ✔ Free e-check ✔ Free check by fax ✔ Free auto bill pay ✔ Cash payments at CVS and most 7-Eleven stores ✔ 24-hour online account access/management ✔ If you finance NYAIP apps, it’s time to go paperless with Premins

P C

The Premins

Company

The Premins Company

132 32 St., Ste. 408 | Brooklyn, NY 11232 • (718) 375-8300 (800) 599-3279 • info@premins.com • www.premins.com nd

117742 1021

Employee Benefits for Insurance Agencies Let the PIA Members’ Choice group benefits program take care of your agency.

Medical Dental/vision LTD with Reliance Standard Term life with Reliance Standard

PIA’s curated programs for member agencies and brokerages feature carrier selection, flexible coverage, top-notch customer service, and claims assistance when you need it.

Get your quote today! (800) 424-4244 | memberservices@pia.org

DAVE VENER President, TAG Solutions LLC

PROTECT your clients’

PERSONAL

INFORMATION

Cybercriminals are targeting the insurance industry

s the cyber security landscape evolves, insurance agencies and companies are finding themselves in the crosshairs of cybercriminals. Security Scorecard explains that, as previous high-profile targets in sectors such as finance have tightened their security protocols, cybercriminals and other malicious actors are turning to the insurance sector as their next source for lucrative data breaches.

PROFESSIONAL INSURANCE AGENTS MAGAZINE

PIA.ORG

Typically, insurance companies maintain extensive databases of policyholder information that provide fertile prospects for identity theft. The average insurer is targeted by 133 cyberattacks per year—with 1 in 3 attacks (or more than three per month) being successful.2 Data breaches can cost insurers not only a lot of money, but also the reputation for reliability that insurance agents rely on to attract and retain customers. To best protect yourself and your policyholders, it’s imperative first to understand the modern security threat landscape. Next, assess what data you handle and how it’s stored. Once you have a handle on the threats you face and what you’re protecting, take specific steps to address vulnerabilities in your systems. Finally, work with your policyholders to protect their homes and places of business from cyberthreats.

Cyber security threats for agents today While there are many types of cyber security threats, the insurance industry is particularly vulnerable to a few specific types, laid out by Security Scorecard and Global IQX.3 Social engineering. Did you know that one of the most significant points of vulnerability in your organization is not any specific piece of technology, but the people who operate it? Social engineering attacks are popular and highly effective methods of obtaining illicit access to data.4 In social-engineering attacks, humans are manipulated or tricked into divulging sensitive information or bypassing security measures.5 Phishing emails trick recipients into thinking they are receiving a legitimate request for information or credentials.6 Antivirus and cyber security company Norton reports that spear-phishing—an even more targeted and sophisticated form of social engineering—is used by 65% of cyber criminal groups.7 Ransomware and extortion. Another popular avenue of attack is ransomware,8 which is growing by more than 350% annually and has been targeting insurance agencies in particular.9 Ransomware prevents you from accessing your data and systems unless you pay the price demanded by the cybercriminal, who may—or may not—unlock the data. While one way of defending against ransomware is to keep backups of your data, this also introduces further vulnerabilities in choosing storage solutions and having additional copies of the data that can be stolen. This is why understanding what data you collect and how you store it is an essential part of your cyber security plan and can help you enact measures like data segregation. Automated attacks. Attacks that aren’t particularly bespoke still pose a threat. Denial-of-service,10 credential-stuffing,11 bad bots, vulnerability scanning, and credential cracking still are used to obtain access to your employees’ or your policyholders’ accounts or data while denying you access to it. These attacks can shut down your business operations quickly and effectively. Third-party exploits. As of 2016, Accenture found that 88% of insurers and claim leaders were using at least one third-party provider for things like payment processing and data storage, and the list of available services and providers has only grown.12

PROFESSIONAL INSURANCE AGENTS MAGAZINE

An insurance firm can have robust security practices and still fall prey to data breaches through vulnerabilities in its third-party solutions. This is especially true when third parties often are used for data processing or data storage. To help prevent these types of breaches, examine your own data and how it’s handled by these parties.

Let’s talk data One of the first and best steps an agency can take is determining what kind of information it collects or processes, who owns that data, and how and where it is stored. Two valuable types of data typically handled by insurance agents are personal identifiable information and financial data, as well as proprietary data and trade secrets. The U.S. Department of Labor defines personal identifiable information as any information that allows the identity of a specific individual to be reasonably inferred either directly or indirectly. This includes immediately identifiable information such as a name, physical or email address, phone number, or Social Security number. It also extends to information that can be used in combination with other data elements to indirectly identify an individual, such as gender, birth date, race, or geographic indicators. Information that permits the physical or online contact of a specific individual is personal identifiable information. Likewise, financial data, such as credit card numbers or bank account information, is both valuable and vulnerable. However, these are not the only data considerations for insurers. An Accenture Security Report on Cybersecurity and the Insurance

Industry states that you should be confident you have not only identified all priority business data assets, but also their locations and whether they are segregated from less critical data.13 This leads naturally to where your data is stored and who owns it. The Insurance Journal reports14 that while there is no clear consensus on who owns consumer data, consensus exists on who is responsible for its security: the insurance agent.15

Protecting your agency

In this context, it behooves the agency principal to go over contracts with current, potential, and even past vendors that provided data storage and processing solutions. Understand where liability falls, how your access to the data is structured and governed, and even how your customers can access their own data under the spread of consumer privacy and protection laws.

Email is a leading source of vulnerability, so review how your agency uses and accesses it. Hire a cyber security firm to perform pressure testing. Once you’ve identified and addressed vulnerabilities, incorporate recovery protocols in case of breach into your security plan and test that, too. Invest in early detection: 61% of insurers say it takes months to detect breaches.16

With awareness of cyber security threats comes the question of how to address them. Here are concrete steps insurance agents can take to protect themselves, their agencies and their policyholders. Perform realistic risk assessment and create and test a security plan. Assessing your data collection, processing, and storage policies is one step in identifying what data and systems need protection and determining threat levels. In addition to determining where and how sensitive data is stored, how it’s used, and who has access to it, identify what processes are in place to protect information and the protocols for remote access and access via mobile devices.

Secure devices and network connections. Ensure that a firewall protects every network connection. This piece of hardware or software assesses network traffic and blocks malicious traffic such as viruses or attacks. The New York State Department of Financial Services, which has issued the New York Cybersecurity Requirements for Financial Services Companies, has provided additional guidance for cyber security awareness in a post-pandemic world.17 Every

SELECTIVE DELIVERS AN EXCEPTIONAL CUSTOMER EXPERIENCE Consumers demand agents protect them and make it easy to do business. That’s what Selective does for our mutual customers.

© 2021 Selective Ins. Group, Inc., Branchville, NJ. Products vary by jurisdiction, terms, and conditions and are provided by Selective Ins. Co. of America and its insurer affiliates. Details at selective.com/about/affiliated-insurers.aspx. SI-21-315

PIA.ORG

financial services company, including insurance agencies, that do business in New York state need to comply with the state’s cyber security requirements. Other states, such as Connecticut, also have cyber security requirements—if your agency follows the requirements outlined in New York state, you likely will be in compliance in other states, too. Even if your state doesn’t have specific requirements, it’s not a bad idea to follow some guidelines regarding cybersecurity. The shift to remote work means that agencies must ensure the security of employee devices and connections at home. Limit employees’ ability to install or delete programs on their devices, automate software and security updates, use VPN and multi-factor authentication to create more secure connections, and provide guidance to employees on using communications and conferencing software securely. Establish a culture of security. Cybersecurity is everyone’s responsibility. You should institute safeguards against both malicious insiders and innocent user error. Provide robust and regular security awareness training, including simulations of social-engineering attacks, such as phishing.

Tips for a post-pandemic world Cybersecurity for your policyholders, too, starts with awareness and staying up-to-date. An essential precaution is to issue guidance to your policyholders on how to keep their account secure. Still, as their insurance agent, you’re more than a login screen with increasingly complex password requirements. You’re who your policyholders entrust with the security and integrity of their homes, businesses or other assets. Build trust and protect your reputation and your policyholders by helping them keep their insured properties safe. Encourage your policyholders to secure their Wi-Fi and network connections.18 In modern homes, network security affects computers and all connected smart devices and appliances, and even the house. Just as your employees’ devices should be kept up-to-date, tips for securing smart homes include changing all default device names and passwords and ensuring all devices have the latest software updates installed.19 In the modern world, helping ensure the physical security of your policyholders’ homes is another facet of preventing unauthorized data access from devices inside the house.20 Finally, as COVID-19 continues to redefine how you and your policyholders do business, work with your customers to make sure their policies are up-todate, reflect business use of their home, and provide adequate coverage. With more than 20 years of owning a business and rebranding hospitals, banks, manufacturers, and technology companies, Vener pivots when faced with challenging industry and market dynamics or obsolete/outdated products and servers. His agility, innovation, and leadership drive business growth. He is the president of TAG Solutions, and he has work with the team at TAG to educate the community on methods and tactics to ensure organizations reduce their risk relative to cybersecurity. Vener has presented regionally and nationally on topics related to IT, cybersecurity and unified communications.

PROFESSIONAL INSURANCE AGENTS MAGAZINE

Security Scorecard, 2021 (bit.ly/3dPRujr)

Accenture Security, 2016 (accntu.re/3yr2Vrp)

Global IQX, 2021 (bit.ly/3s63nKA)

Security Scorecard, 2020 (bit.ly/3ypTSHc)

Cybersecurity & Infrastructure Security Agency, 2009 (bit.ly/3EY4lMp)

Federal Trade Commission (bit.ly/3dSI0Uy)

Norton, 2021 (nr.tn/3oRTGx8)

Security Scorecard, 2021 (bit.ly/33jy44q)

Insurance Journal, 2021 (bit.ly/3lZb5ST)

Cybersecurity & Infrastructure Security Agency, 2019 (bit.ly/3GHGocS) 10

Cloudflare (bit.ly/3m21pXy)

Accenture Security, 2021 (accntu.re/3yppqwQ )

Accenture Security, 2016 (accntu.re/3yr2Vrp)

Insurance Journal, 2020 (bit.ly/3pYi3IS) 14

Insurance Journal, 2020 (bit.ly/3pUlkci)

Accenture Security, 2016 (accntu.re/3yr2Vrp) 16

New York State Department of Financial Services, 2020 (on.ny.gov/3yrwt84)

Norton, 2018 (nr.tn/3oTPXiQ )

Vector Security (bit.ly/3yq3p0W)

Consumer Affairs (bit.ly/3oUhsst)

AmGUARD • EastGUARD • NorGUARD • WestGUARD

Workers’ Compensation

We distinguish our Workers’ Compensation coverage by providing value-added services before, during, and after a claim. Upfront loss control measures Responsive claims handling Facilitation of quality medical care (when an accident does occur) We’ve been successfully protecting our policyholders and their employees since 1983.

Browse all of our products at www.guard.com.

APPLY TO BE AN AGENT: WWW.GUARD.COM/APPLY/ Our Workers’ Compensation policy is available nationwide except in monopolistic states: ND, OH, WA, and WY.

Your Clients are Getting Back to

Business

PIA's Monoline Workers’ Compensation Program is Here to Help As work environments shift and evolve, your PIA member-exclusive market access can entertain hundreds of class codes, offer a low minimum premium, and provide quick turnaround. Let our expertise and knowledge in the WC market work for you and your small-business clients. PIA’s NumberONE Comp market is now entertaining artisan classes, such as: • Landscape gardening—excluding hardscape • Plumbing NOC • Electrical wiring • Ceramic tile • Cabinet work installation • Concrete and cement work • Painting NOC—interior only

Other classes include offices, restaurants, beauty shops, retail stores, doctors/dentist offices, and more. In partnership with

(800) 424-4244 | memberservices@pia.org

ADAM STERN Founder & CEO, Infinitely Virtual

How secure is your agency’s data?

Think beyond traditional forms of defense

Insurance is all about addressing and mitigating risk. Cybersecurity offers the insurance industry a proving ground to demonstrate its bona fides in a realm that is very much of the moment. The stakes are high, the players instinctively vigilant, and the existing infrastructure architected for precisely the checks and balances that define the insurance business.

tions that are relatively inexperienced at dealing with the challenges of an omni-channel environment.

Consider this recent assessment from Deloitte1 of the industry’s level of preparedness:

What’s more, the challenges are likely to become more complex as insurers embrace big data and advanced analytics that require collecting and handling vast amounts of consumer information. It’s worth noting that most of the breaches publicly reported by insurance companies to date have been characterized as short-term attacks, with cybercriminals compromising a system, stealing specific information and then quickly moving on ... We believe the number of long-term attacks may be silently growing as attackers quietly slip in undetected and establish a persistent, ongoing presence in critical IT environments.

Cyberattacks in the insurance sector are growing exponentially as insurance companies migrate toward digital channels in an effort to create tighter customer relationships, offer new products and expand their share of customers’ financial portfolios. Although these digital investments provide new strategic capabilities, they also introduce new cyberrisks and attack vectors to organiza-

Over the years, many insurance organizations have invested a lot of money in security tools and processes that may be providing a false sense of security. As attackers learn to leverage encryption and other advanced attack techniques, traditional tools such as firewalls, antivirus software, intrusion detection systems (IDS) and intrusion prevention systems (IPS) are becoming less and less effec-

So far, so good. However, might insurance agents and brokers inadvertently be sleepwalking into a cyber security trap? What if they’re investing in security tools that provide insufficient protection, effectively chasing cows that have long since left the barn?

PIA.ORG

tive. As a result, many insurers may be misallocating their limited resources to address compliance-oriented, easily recognized threats while completely overlooking stealthy long-term threats that ultimately could be far more damaging.

arrangements prior to full resolution. If data is restored sooner than anticipated, so much the better.

Put another way, forewarned is forearmed. Breach notification represents a relatively new class of solution, one that savvy organizations in the insurance sector and beyond have begun to implement to hit the problem head on, proactively. Indeed, some form of breach notification is increasingly becoming standard operating procedure. In part, the trend reflects regulatory moves— inspired by the health care sector—along with a renewed commitment to transparency among affected businesses.

Breach notification likewise involves detailed explanations of what occurred and what steps are being taken to avert future breaches. Even nontechnical customers want to know that the organization is working to secure the environment. Customers aren’t expecting— and usually don’t require—overly nuanced information about fixes; they do need a clear, high-level overview. Some organizations go so far as to schedule a webinar to review what happened and how, and what remediation looks like.

Setting the pace is the HIPAA Breach Notification Rule, which requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission,2 apply to vendors of personal health records and their thirdparty service providers, pursuant to Section 13407 of the HITECH Act. All of this is happening in the nick of time. Per Cybersecurity Guide,3 it is estimated that attackers have penetrated the insurance sector to exfiltrate the personally identifiable information of more than 100 million Americans. In this milieu, breaches happen—often, big time. According to trend watcher PurpleSec, cybercrime is up 600% since the COVID-19 pandemic began in March 2020. Counterintuitively, the number of data breaches decreased over the same period. That speaks to the very definition of a data breach; it technically isn’t one until the victim notices it—a troubling statistic, since hackers, on average, have access to data for 279 days before an attack—typically phishing or ransomware—is recognized as such.4 Correcting for that seeming anomaly, we’re amid a record-breaking year, data breach-wise. According to The Associated Press, the number of publicly reported data breaches through September 2021 has surpassed the total in 2020 by 17%—based on data from the Identity Theft Resource Center, a nonprofit that works to support victims of identity crime. Although there may be strategic reasons for insurance companies to be discreet about breach disclosure, the clear trend is to be upfront rather than reactive— not least because of the potential deterrent effect of doing so. Organizations in insurance, banking and finance are increasingly likely to follow health care’s lead, as larger companies dispatch breach notifications—perhaps ahead of regulatory mandates, in some cases. Customers clearly value accountability, even if accountability isn’t strictly required. Erring on the side of caution, the smart money holds that breach notification is coming to a server near you.

After the breach Whether notification is mandated or not, smart organizations apprise customers immediately, even (or especially) if little information is available. Share what’s known as soon as possible and tell customers that fresh notifications will be forthcoming as more information emerges. Answer customer questions throughout the investigation. Never over-promise, be honest and be forthright: if restoring data will take two weeks, say so. While customers may not relish the answers, honesty is valued, as is the opportunity to make other 28

PROFESSIONAL INSURANCE AGENTS MAGAZINE

Assurances are essential to both breach notification and incident management; excuses are counterproductive. It’s good policy to let customers know the organization is hiring/paying experts to audit the current environment. Audits are best when scheduled regularly and when customers are kept in the loop—to the point of sharing audit reports. Take time to work with experts on how to limit data exposure or loss— even if the system is breached— and explain these new procedures to customers.

Vigilance now and beyond Whether you’re an agent, a broker, an employee or manager within an insurance organization, there’s a proactive component to breach notification, so heed these edicts as you equip your business for 2022: Treat passwords as you would car keys or the key to your office. Passwords have become the currency of cybercrime, and—to continue the metaphor—too many users are unwittingly printing money by

re-using compromised passwords. Install a secure password manager and use it to generate unique, secure passwords for each site, something virtually all password managers will do.

longer buy peace of mind in an era rife with nefarious actors and thousands of ways to infiltrate organizations and leach data.

Keep your digital house in order, professionally and personally. Once monitoring your online activity (e.g., credit cards, bank accounts, utility bills, recurring payments) becomes second nature, you actually can get ahead of the game and make password changes in real time, where they can do the most good. Enlist services like Experian and TransUnion, which can (in effect) serve as the eyes in the back of your head.

Ironic though it may seem, if you recognize that the work of cybersecurity is never done, you’re apt to reduce the burden of that work and ensure a more (cyber) secure future.

Less is more. Just because you can perform an operation online doesn’t mean that you should. Every time a person goes online via the internet, it creates a new opening in cyberspace, which is a potential portal through which unwanted visitors can pass. Create a virtual moat. Be a mindful traffic cop. Inundated by phone and email messages? Don’t assume they’re all a testament to your popularity. The bigger the influx, the more difficult it is to manage all the messages and the greater the likelihood that some (malicious) unfriendly individuals may be lurking about just waiting for an opportunity. When it comes to specific technologies you and/or your organization should be deploying strive-to-blend anti-malware/anti-spyware solutions with essential human-engineering best practices that treat security as an ongoing process. Whether you opt for pre-baked, home-grown or off-the-shelf solutions, the operative word, indeed, is process. Thinking in terms of process means undergoing a fundamental shift in attitude, to wit: you can no

Note that I said buy, not have. Insurers and their customers can have peace of mind, but not without looking at their businesses in a different way. Banish the checklist in favor of the mindset, the attitude that—to mix a metaphor— the sun should never set on your security empire.

Stern, founder and CEO of Infinitely Virtual, is an entrepreneur who saw the value of virtualization years before the trend took hold. Stern’s company helps businesses move from obsolete hardware investments to an IaaS cloud platform, providing the flexibility and scalability to transition applications and data from in-house to the cloud. 1

Deloitte, 2022 (bit.ly/3H9bydp)

Federal Trade Commission (bit.ly/3ForqYT)

Cybersecurity Guide, 2021 (bit.ly/3EcPwVf)

IBM, 2021 (ibm.co/3GM7fUS)

New Member Benefit for Your Agency

A 401(k) Program Done for You— Cost Effectively

Visit us at: www.tagcobrand.com/pia PIA.ORG

Independent, but never alone. SAN Group is not a cluster, franchise, or brokerage. As a master agency of SIAA, members receive hands-on support locally, while actively participating in the evolution of the independent agency channel.

• Receive direct appointments with more carriers • Profit sharing with no minimum volumes • Risk placement assistance • Start-up agency training and support • Producer training & business insurance growth programs Learn the power of SIAA – a $10.5 billion alliance of independent agencies – contact us today. 800.790.1395 | sangroup.com

Cyber risk coverage considerations for agents Cyber risk coverage is not standardized from carrier to carrier. The differences in coverage could be the types of risks covered, the applicable exclusions to coverage, how limits or sublimits are applied, whether there is technical support provided with the coverage, or how the policy pays out on covered claims. The differences may be nuanced, but the impact may be significant. Understanding your agency’s vulnerabilities is the first step in determining the appropriate coverage. Does your agency handle customers’ personally identifiable information? Does your agency use or process payment cards? Once you understand your agency’s exposures, you should then seek out coverage that will respond to your agency’s needs. Below are several topics to contemplate when considering cyber risk coverage for your agency.

What’s covered? Most cyber risk policies provide some coverage for loss of PII. Does the policy you are considering provide first- and third-party loss of PII? Additionally, ransomware attacks are on the rise in the U.S.—and it is not only large companies that are the target. Does the policy you are contemplating provide coverage for ransomware when your computer is encrypted and your data held hostage? Is there payment card industries fines and penalties coverage? Does the policy you are considering offer options for online banking theft and social engineering—also preferred methods for hackers to attack?

What are the limits? Is your add-on cyber policy subject to the limits of the errors-and-omissions policy, or does it have a separate limit? Some carriers may offer a $1 million policy limit—but how is that limit eroded? Often coverages will have sublimits, so be aware of which limits apply to which type of loss.

Indemnified or reimbursed? How does your policy pay out? Many cyber risk policies only pay out after the damage has been done and you have put the pieces back together again. These reimbursement policies provide little in the way of support, and it may be difficult to know what expenditures are covered and which are not.

PIA.ORG

E&O

BECKY GRIFFITHS Executive commercial lines underwriter, Utica National Insurance Group

Consider policy language such as, “we will pay up to [incident limit] subject to the [aggregate limit] for ‘reasonable and necessary’ expenses incurred by you as result of any [covered event].” Note reasonable and necessary are not defined terms. Compare that language to, “We will pay for all ‘loss’ resulting from a ‘privacy breach’ to which this insurance applies … ‘Loss’ means any amount which an insured becomes legally obligated to pay as compensatory damages arising out of any ‘claim’ to which this insurance applies and shall include judgments and settlements.” The former will require you to submit your receipts and justify the expenditure.

Technical support? Some carriers leave the policyholders to figure out the technical aspects of addressing their computer system and sorting through notification requirements for their customers who had their personal information compromised. Others will provide the policyholders with technical support through a reputable third-party vendor to help with the requirements. You are in the business of insurance, not the business of IT security. Make sure that when you decide on your

Cyber security policy quick check What is covered? • Does the policy you are considering provide first- and third-party loss of PII? • Does the policy you are contemplating provide coverage for ransomware when your computer is encrypted and your data held hostage? • Does the policy you are considering offer options for online banking theft and social engineering? What are the limits? • Is the cyber a separate limit of liability or would it erode your E&O coverage limit? Are you indemnified or merely reimbursed? • Many cyber risk policies only pay out after the damage has been done and you have paid out money to put the pieces back together again. These reimbursement policies provide little in the way of support, and it may be difficult to know what expenditures are covered and which are not. Will I have technical support? • Does the carrier have third-party experts set up to help you with addressing your compromised computer system or sorting through notification requirements (which vary by state) for your customers who had their information impacted?

Hiring made easy Let PIA help with your staffing needs! We’ve created the Agency Staffing Assistance Program—an online member service that helps you find and keep good employees.

To access, visit “Tools and Resources” at pia.org 116225 919

PROFESSIONAL INSURANCE AGENTS MAGAZINE

agency’s cyber risk coverage you consider the amount of support you can expect.

A last bit of advice While not an exhaustive list, these are items you will want to be informed on when considering cyber risk coverage. Finally, be wary of included cyber risk policies. While they may be a nice enhancement to the E&O, they are not likely as robust as a standalone policy. If you have any questions, reach out to your underwriter to discuss and to determine the right fit for your agency. [EDITOR’S NOTE: You can receive a free quote on a cyber liability insurance policy through PIA Northeast. For more information, visit www. pia.org/quote/cyber.php.] Utica National Insurance Group and Utica National are trade names for Utica Mutual Insurance Company, its affiliates and subsidiaries. Home Office: New Hartford, NY 13413. This information is provided solely as an insurance risk management tool. Utica Mutual Insurance Company and the other member insurance companies of the Utica National Insurance Group (“Utica National”) are not providing legal advice, or any other professional services. Utica National shall have no liability to any person or entity with respect to any loss or damages alleged to have been caused, directly or indirectly, by the use of the information provided. You are encouraged to consult an attorney or other professional for advice on these issues. © 2022 Utica Mutual Insurance Company

We’ll Navigate Your

E&O Coverage

You Focus on Business

PIA is here to help you navigate through uncertain times, so let’s make sure you have great errors-and-omissions coverage at a competitive price.

Why PIA Is the Best Choice for E&O • Our professional liability and cyberliability programs are designed for your agency’s needs and risk exposures • Critical coverage options—especially important when many agents are working remotely • Top-rated, stable E&O carriers • Experience & expertise from our team

Get Your Quote Call (800) 424-4244, ext. 408 | Web www.pia.org

Cyber security regulation, credit scoring and more Cyber security regulation–notification of data breach Q. I think that my computer information system was breached by a hacker. Am I required to notify my clients?

breach or security failure. They also can cover third-party damages when people sue or make claims against your clients, or when regulators demand information from them.

A. Maybe. Under Connecticut’s Public Act 05-148 of 2005, any business operating in Connecticut must notify any customers who are residents of Connecticut when the business gains actual or reasonably certain knowledge of unauthorized access of the business’s electronic files or data.

Today, businesses have the following network security exposures and privacy exposures:

However, Connecticut’s law contains an exception, whereby notification is not required if either the data that was taken was encrypted or is the kind of information that is available publicly from federal, state or local governments.

• unauthorized access,

Additionally, notification is not required if—after an investigation and consultation with law enforcement—it is determined that the breach is unlikely to result in harm to the subjects of the breached data.

ASK PIA

PIA TECHNICAL STAFF Have a question? Ask PIA at resourcecenter@pia.org

Network security exposures: • cyberextortion, • ransomware, • virus or malicious code, • theft or destruction of data, or

If notification is required, the statute requires this notification to be offered as soon as practicable, but not before notifying the Division of State Police. —Bradford J. Lachut, Esq.

• business interruption.

Credit scoring

• rogue employees,

Q. What are the Connecticut Insurance Department’s requirements when using credit scoring?

• hacking, or

Privacy exposures: • unsecured physical records, • careless employees,

A. Effective July 1, 2011—as a result of Public Act 10-7—insurers are required to provide a written disclosure of consumer protections regarding an insurer’s use of credit information as determined by the insurance commissioner.

• misplaced devices.

For details, see CID Bulletin PC-69.—Bradford J. Lachut, Esq.

• legal,

Damages can include the following expenses: • IT forensic,

Cyber defined

• credit monitoring,

Q. I have a client who is asking for coverage for cyber. What is this type of coverage? A. It seems that your client is referring to cyber professional liability or cyber liability coverage. The Merriam-Webster Dictionary defines cyber as, “of, relating to or involving computers or computer networks (as the internet).” Cyber insurance policies can cover first-party damages resulting from a privacy

PIA.ORG

• fines, • regulatory or judicial awards, • public relations, • business interruption notification, • extortion payment,

• data asset loss, and • other financial loss. While the Insurance Services Office Inc., has created an E-Commerce Program, most of the insurance is sold on nonstandard policy forms. This requires a great deal of scrutiny of these proprietary provisions in order to meet the particular needs of clients.—Dan Corbin, CPCU, CIC, LUTC

Cyberbullying Q. Would a homeowners policy provide coverage in the event an insured is accused of cyberbullying? A. The National Crime Prevention Council’s definition of cyberbullying is, “when the internet, cell phones or other devices are used to send or post text or images intended to hurt or embarrass another person.” [emphasis added] The practice of cyberbullying is not limited to children; cyberstalking or cyberharassment is when the same activities are perpetrated by adults toward adults or children. Let’s see if there would be coverage for this exposure. Looking at the above definition, one word jumps out: intended. In the UNENDORSED ISO HO 00 03 policy [emphasis added]: Section II–Exclusions Coverage E–Personal Liability And Coverage F–Medical Payments To Others Coverages E and F do not apply to the following: 1. Expected Or Intended Injury “Bodily injury” or “property damage” which is expected or intended by an “insured” even if the resulting “bodily injury” or “property damage”: a. is of a different kind, quality or degree than initially expected or intended; or b. is sustained by a different person, entity, real or personal property, then initially expected or intended. Here we see that since these actions were intended, coverage would be excluded. Another point to be made is that a homeowners policy only covers personal liability for “bodily injury” and “property damage.” A person’s reputation is not tangible property, and mental anguish or emotional trauma is not bodily injury. If the parents of the accused were being sued for cyberbullying, they would not be able to claim this under their homeowners policy. There is an endorsement to the homeowners for personal injury (HO 24 86). However, in the exclusions it states: Section II–Exclusions This insurance does not apply to personal injury: 1. caused by or at the direction of an “insured” with the knowledge that the act would violate the rights of another and would inflict “personal injury”; 2. arising out of oral or written publication of material, if done by or at the direction of an “insured” with knowledge of its falsity; Coverage will be dependent on the knowledge the insured had that such alleged acts violated the rights of another.—Dan Corbin, CPCU, CIC, LUTC 36

PROFESSIONAL INSURANCE AGENTS MAGAZINE

Access to customer data maintained by company Q. Some companies provide access to policyholder information (e.g., declaration pages) to their producers through their website. When the company terminates the producer’s appointment, is the company required to continue to provide the terminated agent access to this information? A. This is a contractual issue of which producers need to be aware. Your contract with the company should provide explicit protection that you will have continued access to the information—preferably for as long as reasonably sufficient to satisfy any applicable statute of limitations period, or for at least as long as state law requires for record retention. Six years is a reasonable period. —Bradford J. Lachut, Esq.

Deleting an additional insured Q. What would be the guidelines for deleting an additional insured from the policy? A. Endorsements that do not include completed operations should be removed from the policy at renewal if the insured indicates in writing that the work has been completed. However, endorsements that include completed operations should not be removed until the insured indicates in writing that the time period required in the governing contract has been satisfied.—Dan Corbin, CPCU, CIC, LUTC

Whatever business you’re in, odds are we insure it. If there’s one thing we’ve learned during the past 110 years, it’s that every business is different, and its location affects its unique needs. That’s why we work with independent agents in nearly every state to design custom, innovative insurance programs for our policyholders. As an EMC-insured organization, you receive instant access to our superior loss control tools and training, and benefit from claims services that are second to none. Experience what nearly 500 different types of businesses already know: You can always Count on EMC®.

Everyone Loves CE—Get Some This February! This month, you have a multitude of opportunities to earn continuing-education credits that will help you develop and strengthen your skills as an independent insurance agent.

Online CE Courses to Consider:

The way we see it, when you invest in yourself, you invest in your agency and your insureds—you simply can’t afford not to. Register today on the PIA Northeast education schedule.

Feb. 1: Cyber Liability–The 21st Century Peril

CTCE: TBA | NH CEU: 3 Producer PROD | NJCE: 3 GEN | NYCE: 3 BR, C3, PA, PC | VTCE: N/A

Feb. 2: Insurance Agents Professional Liability: Why? How? Where?^FF^UN CTCE: 3 PC | NH CEU: Contact MAIA | NJCE: N/A | NYCE: TBA | VTCE: N/A ^FF^UN

–This course has been approved for E&O loss-prevention credit by Fireman’s Fund and Utica National. Call the PIA E&O Department for details.

Feb. 14: Contractors: Commercial General Liability Coverage Issues CTCE: 3 PC | NJCE: 3 GEN | NYCE: TBA

Feb. 15: The Heartbreak Series

CTCE: TBA | NH CEU: TBA | NJCE: TBA | NYCE: TBA | VTCE: TBA

Feb 17-18: NYAIP Producer Procedures Course Live Webinar 2022 update, Parts I and II NYCE: TBA (Part I); NYCE: TBA (Part II)

Feb. 23: Condo Coverages and Common Homeowners Endorsements CTCE: TBA | NJCE: TBA | NYCE: TBA

Feb. 28: Condos, Co-Ops and Other Community Associations CTCE: 3 PC | NH CEU: 3 PROD | NJCE: 3 GEN | NYCE: TBA | VTCE: TBA

Feb. 28: New York City Potpourri CE: Education With a Focus on the New York City Insurance Producer NYCE: TBA

Connecticut Convention March 24 - 25, 2022 Hartford Marriott Downtown

Education Highlights Thursday, March 24 8:30-11:30 a.m.

Things Every Agent Should Understand About Commercial Property Coverage Approved for 3 CTPC credits. (6000112177)

1:30-3:30 p.m.

You’re Using Your House and Car for What? Approved for 2 CTPC credits. (115146)