How do I Advise My Clients On Most? WHAT MATTERS An insurance agent’s guide to cybersecurity Page 18 IN THIS ISSUE February 2023 • Connecticut 9 Managing risks, cyber liability policies 25 Challenges with remote workers 31 Social engineering risk mitigation
Happiness is homemade.
Give your customers a recipe for success with The Concord Group’s Home and Auto coverages.
Your policyholders deserve peace of mind with customized coverages from The Concord Group. With a wide range of optional enhancements, we offer policies to meet their needs and protect what matters most.
Find out more at ConcordGroupInsurance.com
Statements of fact and opinion in PIA Magazine are the responsibility of the authors alone and do not imply an opinion on the part of the officers or the members of the Professional Insurance Agents. Participation in PIA events, activities, and/or publications is available on a nondiscriminatory basis and does not reflect PIA endorsement of the products and/or services.
President and CEO Jeff Parmenter, CPCU, ARM; Executive Director Kelly K. Norris, CAE; Communications Director Katherine Morra; Editor-In-Chief Jaye Czupryna; Advertising Sales Executive Calley Rupp; Senior Magazine Designer Sue Jacobsen; Communications Department contributors: Athena Cancio, David Cayole, Patricia Corlett, Darel Cramer, Anne Dolfi and Lily Scoville. Postmaster: Send address changes to: Professional Insurance Agents Magazine, 25 Chamberlain St., Glenmont, NY 12077-0997.
“Professional Insurance Agents” (USPS 913-400) is published monthly by PIA Management Services Inc., except for a combined July/August issue. Professional Insurance Agents, 25 Chamberlain St., P.O. Box 997, Glenmont, NY 12077-0997; (518) 434-3111 or toll-free (800) 424-4244; email pia@pia. org; World Wide Web address: pia.org. Periodical postage paid at Glenmont, N.Y., and additional mailing offices.
©2023 Professional Insurance Agents. All rights reserved. No material within this publication may be reproduced—in whole or in part—without the express written consent of the publisher.
COVER DESIGN Anne Dolfi Vol. 67, No. 2 February 2023 February 2023 • Connecticut COVER STORY 18 How do I advise my clients on what matters most? An insurance agent’s guide to cybersecurity FEATURE 25 Cyber security
and
Trends and best practices DEPARTMENTS 4 In brief 9 Tech 13 Sales 31 E&O 35 Ask PIA 38 Readers’ service and advertising index 39 Officers and directors directory
challenges
remote workers
TOP 10 CYBER SECURITY TRENDS TO WATCH OUT FOR IN
PASSWORD TIPS TO PROTECT YOUR AGENCY & CLIENTS:
1.Rise of automotive hacking. The more smart devices that people use (connected through Wi-Fi and Bluetooth) the more opportunities hackers have to attack and take over these devices, or eavesdrop via microphones.
2.Potential of artificial intelligence. AI is being used to develop smart malware and attacks to bypass the latest security protocols in controlling data.
3.Mobile is the new target.
Mobile banking malware or attacks in 2019 increased by 50%. Other information on smartphones that can be highjacked: photos, financial transactions, emails and messages.
4.Cloud is potentially vulnerable. Cloud applications (e.g., Google or Microsoft) are well equipped with security on their end, users still need to be aware of erroneous errors, malicious software and phishing attacks.
LOGIN:
STRONG PASSWORDS TO USE:
» 16 characters long
» Include capital letters or lower case letters
» digits and punctuation marks
» DO NOT include personal information
WEAK PASSWORDS: DO NOT USE
» 123445
» password
» Social Security number
The average cyber claim payout is in the millions. Don’t take the risk.
Arm your agency with a cyber liability policy from PIA. Your agency depends on your computer system, confidential client information and website operation every day. PIA’s coverage gives you options ... protect your agency—and your livelihood— now.
5.Data breaches: Prime target. Remember: Any minor flaw or bug in your system browser or software can be exploited by hackers to access personal information. Keep all your systems current and updated.
6.IoT with 5G Network: The new era of technology and risks. 5G architecture is comparatively new and it requires a lot of research to find loopholes to make the system secure from external attack.
7.Automation and integration. The more systems that are automated the more safeguards that are needed to make sure that a system is secure.
8.Targeted ransomware.
Another important cyber security trend that can’t be ignored is targeted ransomware. Training your employees to be cautious about phishing attacks can help keep your agency more secure.
9.State-sponsored cyber warfare. The cyber fights between different countries will continue to be an issue in 2023. We should continue to see high-profile data breaches this year.
10. Insider threats.
AA data-breach report by Verizon stated that 34% of total attacks were directly or indirectly made by the employees.
4 PROFESSIONAL INSURANCE AGENTS MAGAZINE
IN BRIEF
2023
‘See it in the Eyes’ ransomware attack, a case study
Yigal Behar, president/CEO, 2Secure Corp.
When the “See it in the Eyes” ransomware attack occurred in 2022, it took approximately 16 hours to detect it, and it involved the Phobos Ransomware, aka Eight Virus. The victim, a jewelry company was unable to open its business the next day following the attack. All its servers with it files, emails and databases were encrypted. Making matters worse, the backups for the applications and data also were encrypted, because they were not stored off-site, but on the same system as the business-critical files.
By the time a resolution had been reached, 71 days had passed, and it cost the owners of the store $35,000 to rebuild its entire digital presence, the virtual servers, and the applications that it used to processes in-store and e-commerce orders. An estimate of $285,000 was paid out in soft costs, and $25,000 was paid directly to the attackers to restore the data.
Many people believe that cyberattackers primarily target big corporations, because of the potential for a big monetary payout. This example refutes this thinking, because the targeted company was a small jewelry store, with only 30 employees. The company was targeted because its cyber security measures were inadequate (i.e., its backups were located on-site and on the same network as the primary data, and a networking misconfiguration).
Cybercriminals take great delight in attacking small businesses, because there are so many of them, and because many of them take cybersecurity too lightly. The truth is, no one is immune from cyberattacks, and every business that has any assets is subject to attack. In the case of the jewelry store, the one thing it did right was purchase cyber security insurance.
About the ransomware
The Phobos Ransomware, aka Eight Virus, is not new. It appends segments on to file names making them unrecognizable to any operating system. The appended segments include the file’s original name, your company ID (so they know who they attacked), an email address you can use to contact them, and the word “eight” (hence the virus name). Even if you could rename the file to make it recognizable, the encryption makes it unreadable. Currently, there are no effective decryption tools available to help with data recovery.
This ransomware was effective in disrupting the business, and in addition to the money paid to the attackers, and
the cost to rebuild the entire infrastructure, there was an additional soft cost of $285,000. This was the amount of money that had to be paid to employees during the 71 days the business was down, which the store was unable to bring in through earnings. Of course, the company was obliged to shut down during that entire period, because it had no inventory data to draw on, and no way to record sales.
Timeline of the attack
The attack occurred on Sunday, April 10, 2022, at 6:45 p.m., when the store was closed. The servers were unprotected and vulnerable to attack. The encryption was carried out overnight, and by Monday morning, the IT manager called to report a blue screen on the host virtual machine, which led her to think there was a problem with the operating system.
All workstations were affected, as well as the virtual host server and the network-attached server. By Monday afternoon, it was apparent that the jewelry store owners should contact their insurance company, as well as the FBI to begin an investigation. Recovery was started on Tuesday by the forensic company, which started to analyze the cause of the breach.
On Wednesday, a temporary email Microsoft Exchange was setup, so the store could have some communication with clients and business associates. However, it wasn’t until June 23 that the store had recovered to the point when it had a fully functioning system and could carry on business as usual.
However, during the 71-day recovery period, the business’s website suffered an attack, and it was significantly defaced. Clearly, the website lacked adequate protection from cyberattack, and it was just as vulnerable as the business’s host network. When the files were recovered, it was discovered that many emails had been corrupted and included malware, which could have launched a secondary attack. All these were successfully removed, and any further disaster was thwarted.
How did the ransomware enter the victim’s system?
An improperly configured firewall left a port open to attack, and this provided the entry point for the ransomware to penetrate the system. The firewall had been configured with security in mind, and some of the ports were changed to thwart a cyberattack. However, cyber(continued on page 6.)
5 PIA.ORG FYI
FYI (continued from page 5.)
criminals will go through the entire port range until they find something that appears vulnerable, and that is what happened in this case.
No one is immune from a cyberattack. Committed criminals will keep working until they find a way to breach your system. The fact that saves most businesses is that cybercriminals haven’t heard about them yet, and they haven’t focused on carrying out attacks on those systems.
The lingering damage
Any business that is forced to close for over two months will suffer serious financial loss. In addition, any breach like this quickly becomes public knowledge and results in a loss of confidence in the business that was attacked. Casual observers may feel that the affected business lacks adequate security measures, and they are hesitant to do business with them. That loss of confidence translates to ongoing loss of business for a business because customers prefer to patronize more secure companies.
No one wants to have their personal data exposed to cybercriminals, because they fear that they could become the next victims.
Suppliers and vendors also are hesitant to resume business relationships, knowing that the business has suffered a major security breach, and that they could be indirectly affected by it.
Most businesses that are victims of an attack take a while before they fully recover, and regain the confidence of clients, vendors, and other business associates.
The cost of suffering a ransomware attack goes beyond the monetary amount the business is obliged to pay out, but can continue on into the future like a ripple effect.
Ransomware backup
The jewelry store attacked by the Phobos Ransomware could have avoided this heartache and financial damage by having adequate backups of data and virtual servers prepared. It doesn’t matter whether you have backups stored off-site or on the cloud, it’s just essential to have backups you can access if someone hijacks your businesscritical data and holds it for ransom.
If you still are using tape backups, keep in mind that damage can occur to the magnetic component of tapes over time, so they will need to be replaced at least annually. In addition, it will take longer to restore the data off the tapes.
And, cloud-based backups also can be breached if the vendor’s security is compromised. It’s good to remember that there is no security protection system that can give you complete protection against cyberattacks—so you should plan for multiple contingencies.
Don’t forget about insurance
Another good step to take to protect your agency is to acquire insurance against attack. In the event you are attacked, you’ll have to pay a higher premium afterward because you demonstrated that your security could be breached. However, the increased cost of premiums is well worth it, so you don’t end up bearing the entire
financial cost of damages yourself. [EDITOR’S NOTE: Don’t leave your own agency exposed to the aftermath of a data breach—PIA offers you access to a cyber liability policy for your agency. Get a quick quote today. Logon to: www. pia.org/quote/cyber.php.]
The jewelry store could have faced financial ruin if it hadn’t purchased cyber security insurance beforehand. It managed to avert total disaster because it didn’t have to pay all those costs mentioned in this article on its own. Whatever the cost of insurance, backups and security measures, it will be far less than what it would cost if your agency is obliged to close its doors forever.
Behar is president/CEO of 2Secure, a cyber security assessment company. Reach him at (646) 560-5083 or cyber@2secure. biz. You can download his book Digital War–The One Cybersecurity Strategy You Need to Implement Now to Secure Your Business for free at http://www.2secure. biz/. The book also is available on Amazon in paperback or Kindle versions at a discount.
PROFESSIONAL INSURANCE AGENTS MAGAZINE 6
Suppliers and vendors also are hesitant to resume business relationships, knowing that the business has suffered a major security breach, and that they could be indirectly affected by it.
CLARE IRVINE, ESQ. Government affairs counsel, PIA Northeast
Managing risks with cyber liability policies
On Sept. 8, 2022, Suffolk County, New York, learned a professional hacking group known as BlackCat had gained unauthorized access to over 20 agencies with the county. Everybody from the police forces, to social services, to emergency dispatchers were forced to figure out a way to continue providing services to the county without their computers, data, email or internet.1
For almost a month, the county could not even perform a title search, which halted real estate transactions. Shortly after the hack, nonpublic information accessed by the attackers turned up on the Dark Web, including everything from sheriff’s records, to county contracts, to personal information on county residents.
Prior to the attack, Suffolk County had invested in cybersecurity and conducted simulations specifically to prepare for such an event. Yet, the
county’s systems lacked safeguards— such as multi-factor authentication that have rapidly become standard for security purposes—and it remained exposed to an attack.
Cyber liability insurance policies will never fully protect a business from a cyberattack or cover all the subsequent costs of maintaining business operations. Yet in a rapidly changing area, they offer comprehensive risk management by proactively forcing businesses to rethink their security systems on a regular
PIA.ORG 9 Steer Your Contractor and Used Car Dealer Risks to the Pros Turn to the folks that understand your clients’ businesses, deliver A- (Excellent) rated commercial auto and garage liability coverages, and provide the resources and support you need to achieve profitable growth. Business Auto Liability and Physical Damage • Contractors – Commercial Building, Electrical, HVAC, Painting, Plumbing, Roofing, Janitorial Services and more Garage Liability — Used Car Dealers • Dealer and Transporter Plates Writing in NY, NJ, PA, & CT* • Convenient Online Quoting • 24/7/365 Claims Reporting • Flexible Payment Options Contact us today: 516-431-4441 x3507 producer@lancerinsurance.com www.lancerinsurance.com * Please contact us for a list of available products and coverages by state
TECH
basis in ways that can reduce the potential damage of an attack drastically and allow for continued business operations. Thinking about a cyber liability policy as a more comprehensive tool to protect a business could show an organization how to prepare to keep operating and minimize the damage done by a security breach.
The application as a risk manager
In the last decade, multi-factor authentication has gone from a rarity to a standard business practice. Cyber liability applications and policies reflect this shift. Applications reflect cyber security measures that range from expected practices to newer measures designed to protect against current attacks. Questions also involve system designs and data storage to reflect how these structures and decisions may impact the severity of a cyberattack and the aftermath. Beyond a cyberattack, these also may help with business recovery after a natural disaster (think off-site backups).
Cyber liability policies and the accompanying applications are living documents, updated frequently to reflect the rapid changes in the risks. As a result, the questions asked about a cyber security program and system design give strong indicators regarding what measures businesses should consider adopting. In a review of cyber liability policies, the RAND Corp. found that the questions may vary, but fall into four general categories: 1. organization; 2. technical; 3. policies and procedures; and 4. legal compliance.
These categories reflect the factors of a comprehensive data security system. Simply installing a firewall and requiring a password does not protect a computer system. Increasingly, human behavior leaves businesses susceptible to security breaches through phishing emails. Plus, it provides ways for a hacker to access an organization’s entire data system. Simply limiting access to critical systems may not prevent an attack, but it can reduce the damage done by containing it.
Unlike regulatory requirements, cyber liability applications are regularly updated to reflect recent attacks and changes to the recommended best practices. Understanding the application questions and their purpose can help an insured complete the forms and emphasizes why certain policies may be required. While many measures included on an application may not be required by the cyber liability carrier for that policy, that also could change rapidly as well.
Understand the limits
In a study of over 100 CFOs and senior financial executives, FM Global found that 45% of those surveyed executives thought their cyber liability policy would cover most of the related losses from a cyber security event, while 26% of respondents expected all losses to be covered.2 Yet, with the high cost of cyberattacks, insurers write policies to reduce and contain their own exposure. The coverage should be evaluated based on what’s covered, what’s excluded, and the applicable sublimits to ensure proper understanding of the policy and potential exposure following a loss.
Generally, coverage for first-party covered losses breaks coverage into four categories: 1. data compromise response; 2. identity recovery; 3. computer attack;
and 4. cyber extortion.3 When it comes to third-party coverage, the sublimits get broken down into compromised data, network security, and electronic media. While the lack of standardization makes it important to review each policy’s specific coverage terms, the evaluation of policies by the RAND Corp., found that there was not substantive variation in policy coverages. The variations came from the policy exclusions, which could create problems for policyholders. Cyber liability policies may exclude criminal, fraudulent, or dishonest acts. Physical harm also may be excluded despite also being a potential data breach. As cyberattacks become more complex, the exclusions may reflect the changes as insurers attempt to reduce their own exposures to increasingly expensive breaches.
The costs of a cyberattack
Beyond the challenge of understanding cyber liability policies is the cost. Underwriting cyberliability proves far more challenging for carriers due to the rapidly changing nature of the losses and lack of historical data. The costs of data breaches have been increasing, especially with the rise of ransomware attacks. From 2020 to 2021, the average cost of a security breach has risen 10% with those costs almost certain to increase in 2022.4 IBM Security estimates each piece of personal identifiable information stolen in a cyber security breach costs $180 alone.5 While insurance could cover some of the expenses, other costs associated with a security breach would be excluded or not covered by the standard policy. Some of the costs, especially those associated with lost business and reputational damage, may be
PROFESSIONAL INSURANCE AGENTS MAGAZINE 10
difficult to quantify much less try to make up with an insurance policy. This leads back to the questions on the application offering pointers to reducing the potential costs along with the risks. Businesses with more developed security systems updated frequently to respond to contemporary threats face reduced costs following a cyber security breach. System design and offline system backups can further reduce costs by containing a potential breach and protecting records. The sublimits within a cyber liability policy further emphasize the need to think of the potential costs when reviewing a data security system to balance out the proactive steps to protect a business from a cyberbreach and finding an available cyber liability policy to cover some costs.
Conclusion
Reviewing the cyberattack on Suffolk County strongly suggests an interconnected system that made it impossible to contain the damage. The aftermath also shows how crippling such an attack can be on an organization with the county unable to accept any online payments over two months after it took the computers offline.
Cyber liability insurance cannot stop a business from being attacked. However, independent agents who understand the role of updated requirements in policies and the extent of the policy’s sublimits and exclusions can help their clients understand how to manage these risks in a way that allows for an attack to have a minimal impact on their operations.
Irvine is PIA Northeast’s government affairs counsel.
1 The New York Times , 2022 (nyti.ms/3hxunQ5)
2 FM Global, 2019 (bit.ly/3HCbGWj)
3 Sasha Romanosky, Lillian Ablon, Andreas Kuehn, Therese Jones. “Content analysis of cyber insurance policies: how do carriers price cyber risk?” Journal of Cybersecurity. Volume 5, Issue 1. February 2019
4 IBM Security, 2021 (ibm.co/3WgjHUP)
5 Ibid.
PIA.ORG 11
Please refer to actual policy for details. Policies are underwritten by Great American Insurance Company, Great American Insurance Company of New York, Great American Alliance Insurance Company, and Great American Assurance Company, authorized insurers in 50 states and the DC. Products not available in all states. © 2023 Great American Insurance Company, 301 E. Fourth St., Cincinnati, OH 45202 5637-AGB (02/23) Bow, NH 877.552.2467 aimscentral.co m TM FROM THE FARM AND RANCH PROFESSIONALS AT HAVE AN UDDERLY FANTASTIC VALENTINE’S DAY!
Brooks Insurance Agency is proud to support Professional Insurance Agents (PIA)
Since its founding in 1991, Brooks Insurance Agency has successfully serviced the standard markets and brokered distressed and complex lines of business. We are here to help agents find the coverage their clients need.
We represent 80+ quality carriers, including several new and exciting markets, across the country. Plus, a broad array of products and services in admitted and non-admitted markets.
MARKET STRENGTHS AND EXPERTISE
• Broad market reach
• High-touch broker specialists
• Easy, online quoting process
• Collective approach to complex insurance needs
Visit our website at www.brooks-ins.com.
Brooks Group Insurance Agency, LLC NJ License 1575143
BROOKS IS YOUR FULL-SERVICE WHOLESALER How can we help you? Call us at 732.972.0600 or email us at info@brooks-ins.com © 2023 Brooks Insurance Agency, LLC is a wholly-owned subsidiary of Venbrook Group, LLC. All rights reserved.
DAVE KAHLE President, Kahle Way Sales Systems
The solution: Is it them, or is it me?
In this rapidly changing economy, everyone is looking for a simple fix to deal with the uncertainty of our economic environment. It seems like few are happy with their situations. And, all but a few point their fingers at the changing economy and vibrant competitive environment as the source of their dismay.
The comments I overheard at one of my recent sales seminars were representative. One salesperson complained that his customers were shrinking and going out of business. Several complained about customers’ pressure to lower prices. Still others complained about desperate competitors’ feverish attempts to generate cash flow by discounting dramatically. And, of course, everyone is concerned about the lingering impact of the COVID-19 lockdown.
There must be a genetic inclination in humans to look outside ourselves and blame those things that are outside of our control for our situations. We lament the conditions outside of ourselves and cast ourselves as victims. If only someone else would fix it. Maybe the government will make everything good again.
Unfortunately, if our gaze is directed at them—those conditions in the market that have changed and are outside of our ability to control—we will never free ourselves from the constraints on our income and prosperity. We can’t do anything about them. The real secret to improving our conditions is to work on us.
As Author James Allen said: “Men are often interested in improving their circumstance, but are unwilling to improve themselves, they therefore remain bound.” What was true a hundred years ago is still true today. Salespeople, sales managers, and sales executives need to look inward—at themselves and their sales teams—for the solution to their problems.
Salespeople
It may have been OK a few years ago for salespeople to have their own style of selling, to never invest in their own improvement, and to make their living off their existing relationships. Today, all of these are obsolete ideas that must be changed. It’s time to look inward and work on yourself.
To effectively deal with the changing economy, salespeople must become more strategic and thoughtful about the investment of their sales time, and they must bring value both to the customer and to their employers in every sales call. They must view their jobs as professions, not just jobs, and become
serious about improving themselves. In many cases, salespeople will have to gain new skills in working from a home office and running sales calls via phone and video technology.
In a world where it is obvious that good salespeople sell more than mediocre salespeople, they must decide to become better salespeople. That means investing in their own improvement and striving to achieve higher levels of competency and thus, better results.
Those salespeople who survive and thrive in this climate will be those who understand the path to their prosperity lies not in the outside world, but in themselves.
Sales managers
Likewise, sales managers must stop coddling those salespeople who aren’t interested in—or committed to—continuous improvement and greater levels of productivity. They must be sensitive to those salespeople who will refuse to strive to add new skills, and they’ll need to hold them accountable for practical expectations of growth and development. They need to put in place practices and disciplines that call for quantifiable expectations on the part of their sales team, regular measurements, and greater thoughtfulness and strategic planning.
SALES
PIA.ORG 13
Email> Keep these addresses handy to reach PIA electronically
General pia@pia.org
Conference conferences@pia.org
Design + Print design.print@pia.org
Education education@pia.org
Government & Industry Affairs govaffairs@pia.org
Industry Resource Center resourcecenter@pia.org
Member Services memberservices@pia.org
Publications publications@pia.org
Young Insurance Professionals yip@pia.org
They must demand continuous improvement and thoughtful efforts to increase market share.
Sales managers must look inward, understanding that their chances of success are dependent on them, not the market—understanding they can do it better, and doing it better brings better results.
They must examine their sales forces and use this window of opportunity to weed out those salespeople who have no interest in development, who don’t have the capability to succeed as a professional salesperson, and who aren’t committed to their own personal success. Now is the time to review the bottom third of their sales forces and aggressively seek to upgrade.
Sales executives
Chief executive officers and chief sales officers need to recognize that the current state of the economy, and the resulting impact on the attitudes and perspectives of employees, has delivered a once in a lifetime opportunity to make significant changes in the structure of the sales force.
Recall just a little over a year ago. Making wholesale changes in sales territories, account responsibilities, the role of the inside and outside salesperson, sales management practices, compensation plans, and expectations for continuous improvement, would have been met with resistance from most of the sales force. Today, most salespeople are willingly to cooperate, and they are acutely aware that they can be replaced if they don’t follow your lead. Those CEOs and CSOs who look inward and use this window of opportunity to streamline and rationalize their sales systems will increase their productivity and lay the groundwork for disproportional growth when the economy shifts
The world is full of victims who lament their condition and blame their fate on sources outside of their control. Leaders accept their responsibility to look inward and improve themselves.
Kahle is one of the world’s leading sales authorities. He’s written 12 books, presented in 47 states and 11 countries, and he has helped enrich tens of thousands of salespeople and transform hundreds of sales organizations. Sign up for his free weekly Ezine (www.thesalesresourcecenter.com/dkezinesubscribe). His book, How to Sell Anything to Anyone Anytime , has been recognized by three international entities as “one of the five best English language business books.” Check out his The Good Book on Business
AGENTS
PROFESSIONAL INSURANCE
MAGAZINE
116889
CP The Premins Company The Premins Company 132 32nd St., Ste. 408 | Brooklyn, NY 11232 • (718) 375-8300 (800)599-3279 • info@premins.com • www.premins.com 117742 1021 ✔ Credit cards for a flat $8.75 fee ✔ Debit cards for a flat $3.85 fee ✔ Free e-check ✔ Free check by fax ✔ Free auto bill pay ✔ Cash payments at CVS, Walmart and most 7-Eleven stores ✔ 24-hour online account access/management ✔ If you finance NYAIP apps, it’s time to go paperless with Premins Insurance Premium Financing with Unparalleled Payment Options Providing exceptional personalized service to the premium finance industry since 1965. OF INSURANCE PREMIUM FINANCING • OVER •
The old standard doesn’t stand up to our standards. What makes us smart, different, and better? We take the time to work closely with you throughout the sales process. We offer superior products that employers love, like payroll-plus-comp, and we make onboarding smooth and easy. When you or your clients call us, a real live person answers the phone. Simply put, you can expect a higher standard in everything we do. Omaha National Underwriters, LLC is an MGA licensed to do business in the state of California. License No. 078229. “A” (Excellent) rated coverage through Omaha National Insurance Company, Preferred Professional Insurance Company, and/or Palomar Specialty Insurance Company. Workers Compensation Insurance Coverage in: AZ • CA • CT • GA • IL • NE • NJ • NY • PA 844 -761- 8400 • omahanational.com 844-761-8400 • omahanational.com Smart. Different. Better.
Omaha National Underwriters, LLC is an MGA licensed to do business in the state of California. License No. 078229. “A” (Excellent) rated coverage through Omaha National Insurance Company, Preferred Professional Insurance Company, and/or Palomar Specialty Insurance Company. Workers Compensation Insurance • No volume requirements • Competitive rates • Multiple options for premium payments • Open to Shock Loss/High Mods Send in your submissions today. For more information contact a marketing rep at 844-761-8400 or email us at Sales@Omahanational.com. [ Coverage in: AZ • CA • CT • GA • IL • NE • NJ • NY • PA Smart. Different. Better. You’l l l ike us because t here’s nobody l ike us.
PROFESSIONAL INSURANCE AGENTS MAGAZINE 18
RICH PHILLIPS Channel manager, Cyberstone Security
WHAT MATTERS
Insurance agents know cybersecurity is important. After all, the average cost of a critical infrastructure breach is up to $4.35 million1—a number that climbs every year. Much of this cost is attributed to lost business—a loss of money in fixing the problem itself, but also the real possibility of a loss of future revenue, too. You can’t afford to be caught off guard.
An insurance agent’s guide to cybersecurity
Most?
How do I Advise My Clients On PIA.ORG 19
Cyber concerns for insurance agents are twofold. You’ll need to safeguard your own data and systems to protect your agency from data theft, hacks, loss of reputation, and liability. You also serve as an important resource to your clients, and you can provide them with valuable information about how to mitigate their risk.
As a trusted partner for your clients, you should be able to provide basic suggestions about the most salient points of cyber security protection. As many of your clients may be on a limited budget or have only a basic understanding of the importance of cybersecurity, you should have some basic metrics in mind when broaching the topic and be able to rank the IT protocols that are most important to them.
What should you recommend your clients focus on? Some basics of cyber security protections include multi-factor authentication, vulnerability scanning, penetration testing and user security awareness training.
Multi-factor authentication for all
Multi-factor authentication is a must in today’s world. It adds an extra layer of security by requiring, as it implies, more than one method of authentication. This can include many combinations of the following: something you know (e.g., a password or code), something you have (e.g., like a keycard), or something unchangeable about you (e.g., a fingerprint or other biometric scan).
As you’re likely aware, passwords should be changed regularly. Experts suggest you should alter them at least quarterly to best protect your sensitive information.2 Passphrases are also a strong way to better protect your credentials. Your dog’s name and your favorite sports team are pretty easy for hackers to learn via social engineering, but they’ll be hard pressed to guess your password when it’s a running phrase like, “Iliketacotuesdaysandthrowbackthursdays.”
Whichever approach an organization decides to take, be sure that all members of the team are doing the same thing. Your system is only as safe as its weakest link. Properly educating your staff on the preventative measures you require is a critical part of cybersecurity best practices.
You also should recommend to your clients that they change their passwords regularly and/or use passphrases. This is true both for their accounts that have nothing to do with you (e.g., their LinkedIn or email profiles) and the login to their payment portal or insurance document account through your agency.
Keeping yourself aware of cybersecurity best practices helps you and benefits your clientele. You can be a strong advocate to protect your customers—both as someone in the know and as a party with a vested interest. After all, if they don’t change the password for their login on your portal, a breach of their system could lead to a breach of yours.
Keycards may be less relevant for many insurance agents and their clients, but be sure your staff knows not to share swipe cards or other methods of entering the building with others. This will both keep you safe and lower your liability in the event of an incident. By knowing who is coming and going and when, you can better secure both your staff members’ well-being and the data your systems contain.
Biometric passwords are likely the way of the future, with companies like Apple,3 and possibly Google and Microsoft, planning to switch to passkeys that rely on face or fingerprint recognition as the gateway to logging in. At the present time, this prevents most phishing and hacking scams from being effective. However, you should stay up to date on trends, as attacks will become more sophisticated over time. Still, if you have the option to select biometric passwords, they are a good alternative to traditional ones—both for internal systems and for client-facing portals. Multi-factor authentication most commonly involves a password and a code sent in real-time to an email or phone number. It also may involve a biometric login plus a code or a password. This dual level of protection always is better than just one. The stronger each element is within the MFA, the better.
Testing insurance agents, clients
Penetration testing also is an important part of IT for insurance agents and their clients. This assessment simulates a hacker attack to test the security of a system. By doing this, you can find weaknesses in your system and then take steps to fix them before a real attack happens. Agents should have their managed services provider or IT team conduct periodic penetration testing to verify the security of their systems. This is a critical step toward protecting the sensitive client data that you may have in your electronic files.
Not familiar with MSPs? In essence, they provide IT support and preventative services to businesses. They can help with a variety of tasks, including providing access to the latest secu-
PROFESSIONAL INSURANCE AGENTS MAGAZINE 20
rity patches and software updates, monitoring systems for signs of intrusion and malware activity, and providing guidance on best practices for cybersecurity. Working with an MSP can help insurance agents to stay protected from cyber security threats. Your MSP can handle penetration testing on your behalf.
You also can express to your clients the importance of conducting a penetration test on their own systems. Particularly, if you are sharing data back and forth electronically with your clients. This is important for two reasons: 1. it protects them, and 2. a more robust security effort on their part ultimately safeguards your system against a hacker, too. If they are infiltrated and they have shared portals to your system, you are more likely to suffer a breach.
Why agents are vulnerable?
There are a few reasons why insurance agents may be more vulnerable to cyber security threats compared to other professionals. First, insurance agents often deal with sensitive client information. This includes things like Social Security numbers, credit card information, and medical records. If this information falls into the wrong hands, it could be used for identity theft or fraud. Agents may be targeted specifically by hackers because of the type of information to which they have access.
Another reason why insurance agents may be more vulnerable to cyber security threats is because they often work with clients remotely. This means that they may not have the same level of security as someone who works in an office. If working from home, some agents may lack access to the same type of firewalls
and antivirus software that could be in place in a brick-and-mortar office, which can leave them open to attacks.
Finally, agents may be targeted by hackers to disrupt the operation of their parent insurance company and demand large ransoms. A breach in your system could open the door to hackers accessing data or systems of the insurance companies with which you do business.
Protect yourself and your clients
There are a few additional steps that insurance agents can take to protect themselves from cyber security threats. You also can recommend these steps to your clients.
Make sure that your systems are up to date with the latest security patches. You also should install and use antivirus and antimalware software. If you aren’t sure how to approach this task, consult your IT department or your managed service provider.
Insurance agents also should be careful about the type of information they share online. You should avoid sharing sensitive client information or company information on social media or in emails. If you do need to share this type of information, encrypt it before sending it.
Proper storage and transmission of information is imperative. If clients need to send sensitive information to insurance agents, they should encrypt it before sending it. This can help to protect the information from being intercepted by hackers. Customers also can use a secure file sharing service to send files to insurance agents. Typically, this type of service will encrypt the files before they are sent.
Insurance agents should store customer information in a secure database. They also should encrypt this information to help protect it from being accessed by unauthorized individuals. Insurance agents should have a process in place for regularly backing up this information. This will help to ensure that it can be recovered if it is lost or corrupted.
Finally, insurance agents should consider investing in cyber insurance. This type of insurance can help to cover the costs of damages that occur because of a cyberattack. It can help to cover the costs of recovery if sensitive client information is stolen. You might recommend cyber security insurance to your clients, and, in some cases, you may be able to sell it to them as part of their insurance portfolio with you.
Cyber security insurance is a growing industry as the pace of breaches increases rapidly and the cost of those attacks continues to snowball. In fact, by 2025 the global cyber insurance market is expected to be $20 billion. Insurance clients opting for this coverage4 rose from 26% in 2016 to 47% in 2020. This could be due in part to the fact that the costs of cyberattacks nearly doubled between 2016 and 2019 in the United States.
To have cyber insurance coverage, note that you will have to abide by certain rules. Insurance companies expect their customers to have safeguards in place like strong firewalls and encryption protocols, multi-factor authentication, software update schedules, regular assessment and repair of vulnerabilities,
PIA.ORG 21
best-practice handling and storage of sensitive data, and secure financial transactions.
This is another reason to encourage your clients to follow cyber best practices: They likely won’t be eligible for cyber insurance coverage if they do not. Though today cyber security insurance is just a suggestion, in the future, it could become a standard part of a business insurance policy. Protecting your digital assets and your reputation, plus reducing your liability, are enough reason to tighten up your cyber security strategy. However, getting ahead of the curve for when cyber security insurance becomes a necessary standard is a strong reason, too. Cybersecurity is an important issue for insurance agents and their clients. By taking steps to protect themselves from cyber security threats, they can help to keep their clients’ information safe as well.
Phillips is a skilled cyber security manager with years of experience helping organizations simplify the complexities of cybersecurity. He is passionate about developing actionable strategies that demystify the inherent intricacies of technology for organizations located across the country. He is a channel manager with Cyberstone Security—a niche cyber security consulting firm that helps organizations develop and enhance their information security programs, reduce risk, and achieve compliance with state and federal information security regulations, through services such as vulnerability assessments and penetration testing.
1 Upguard, 2022 (bit.ly/3j0LVoc)
2 McAfee, 2022 (bit.ly/3Fntwtg)
3 CNET, 2022 (cnet.co/3BBLvv0)
4 GAO, 2022 (bit.ly/3j3I2Pt)
PROFESSIONAL INSURANCE AGENTS MAGAZINE 22 MARC H 23
24, 2023 HARTFORD
John
CISR, CPIA Scan the QR code to register at: www.pia.org/conn The event will feature: Access to insurance products and services in the trade show Mock Cyber Event with TAG Solutions Numerous opportunities to network John Fear, CPIA, CISR, will lead two continuing-education classes on: Cannabis Insurance E&O — Avoiding Coverage Gaps
-
MARRIOTT DOWNTOWN HARTFORD,
C ONN.
Reconnect face-to-face with your insurance industry colleagues
Fear
We Have Deep Expertise in How Small to Medium Agencies Operate their businesses. AMS-Applied Epic – HawkSoft to name a few. We are the only IT Firm that can assure compliance with NYDFS 23 NYCRR500 Cybersecurity Regulation. We Answer Our Phones LIVE. 93-Seconds or less Response Time or your Money Back Guarantee. We do not OUTSOURCE any of our work. We include 24/7/365 support at no extra cost to all of your employees. Most Documented 5 Star GOOGLE Reviews in NY. www.motiva.net/insurance walter@motiva.net (646) 374-1820 The #1 Cybersecurity & IT Support Company for Insurance Agencies www.motiva.net/insurance walter@motiva.net (646) 374-1820 Our FREE and Confidential Cybersecurity Risk Assessment Will Give Your Agency the Answers You WANT, and the Third-Party Proof of Compliance You NEED for Filing. Call Walter Today at: 646-374-1820 NEW FOR 2023 IN ADDITION TO PRIOR REQUIREMENTS DEADLINE FAST APPROACHING APRIL 2023 IS YOUR AGENCY PREPARED TO COMPLY WITH THE NEW DFS CYBERSECURITY REQUIREMENTS FOR 2023? Cybersecurity Risk Assessment Multi-Factor Authentication Report all Cybersecurity Events to DFS
APPLY TO BE AN AGENT: WWW.GUARD.COM/APPLY/ Our Workers’ Compensation policy is available nationwide except in monopolistic states: ND, OH, WA, and WY. Workers’ Compensation
distinguish our Workers’ Compensation coverage by providing value-added services before, during, and after a claim.
loss control measures
claims handling
of quality medical care (when an accident does occur)
been successfully protecting our policyholders and their employees since 1983.
all of our products at www.guard.com.
We
Upfront
Responsive
Facilitation
We’ve
Browse
MICHAEL EVANS Founder, USPA Nationwide Security
Cyber security challenges and remote workers
Trends and best practices
According to our research, collaboration platforms used in the insurance industry have increased the likelihood of hackers targeting their users. Consequently, these organizations should focus on protecting their remote workforces from cyberattacks. This can be accomplished in several ways, including training remote employees and implementing cyber security policies.
A recent survey indicates that one-fourth of employees are concerned about cybersecurity when working from home. Many people receive spam and fraudulent emails because of phishing and scams. It is unfortunate that many of them do not take adequate precautions against these threats.
It is common for the insurance industry to utilize cloudbased software programs—including NowCerts, Jenesis, and Applied Epic Software—to exchange insurance information and data, administer insurance policies and benefits, track licenses and documents, manage commissions, manage tasks, manage claims, generate reports, and provide self-service certificates. When managed by experienced IT professionals in the workplace, the information usually is safe. However, it is when home-based workers access sensitive data, without the proper security
protocols in place, that there can be problems. This type of exposed information poses a formidable threat to the insurance industry as well as to the insured. Insurance agencies may be vulnerable to ransomware attacks if they have the slightest vulnerability, which usually results from a home-based login.
Although ransomware’s future cannot be predicted, there are several trends that will shape the threat landscape in the years to come. Soon, ransomware attacks are likely to increase dramatically. By utilizing this model, small-time cybercriminals can carry out ransomware attacks that can climb to large-scale operations.
Over the past three years, ransomware attack demands have increased by more than 100%. Part of the reason for this is the increasing success of ransomware attacks, as well as the fact that more companies are paying up to recover their data. For instance, health care organizations have experienced some of the highest demands since a disruption could result in the loss of lives. Both Telecom Argentina and Light SA reportedly have experienced ransoms of more than $14 million—and these demands are expected to continue to rise.
PIA.ORG 25
A cyberattack on Shoprite Group, a South African supermarket chain, also has occurred recently. The RansomHouse ransomware gang published screenshots of the stolen information on its Telegram channel and boasted of its attack on the company. The attack also affected other companies, including the American Dental Association and Deutsche Windtechnik.
Why this is such a big problem
There are several factors that contribute to these high-level attacks that may originate with employees who are working remotely.
Software programs used by workers operating from home may not be protected by firewalls. Home computers are increasingly being attacked by cybercriminals. Most home computers do not have a firewall, which makes them vulnerable to hackers. Hackers who discover such vulnerabilities wait for an opportunity to exploit them.
It is possible to pose a serious security risk with a poorly implemented remote access solution. It is inevitable that faulty configurations will arise from the deployment of remote infrastructure under time pressure. Cyberattacks and infringements are likely to increase dramatically as a result. Additionally, remote employees may not be as vigilant at protecting sensitive data as they may be when they are in the office (e.g., they may leave their computers unlocked or paper documents laying on their desks). Thus, unsecured devices usually are attacked within a short period of time.
There are many businesses that use remote-working methods to increase their efficiency, but the problems do not end there. It is common for employees to lack the necessary tools to protect their data—making them more susceptible to cyberattacks. Additionally, there is a risk that malware will be transmitted through email.
Hundreds of studies and millions of data points have been analyzed by the Alliance for Connected Work. Commuting costs are higher than those associated with working in a traditional office—despite employees’ willingness to accept pay cuts and reduced benefits when working from home. Despite the costs associated with virtual-work options, employers who offer this option report a higher quality candidate pool. Remote workers are being targeted by cybercriminals, resulting in a 238% increase in cyberattacks.
Risks associated with ransomware attacks in cloud computing. Cloud computing is at risk of ransomware attacks. In addition to encrypting files, these malicious programs can encrypt entire servers owned by cloud-service providers. All cloud users will be affected by this change. Fortunately, ransomware attacks can be mitigated. Installing next-generation antivirus that automatically updates your operating system is one option. It is possible to implement web filtering to block infected websites. IT professionals also can provide technical assistance. Implementation of a disaster recovery plan is another method of protecting your cloud data from ransomware attacks.
Using least-privilege access to your cloud resources is one of the most effective ways to minimize the risk of ransomware attacks. It will prevent fraudsters from gaining access to your system, and it will minimize the impact of shockwaves when they do gain access. The idea of replicating buckets is a smart idea,
since it creates a backup in the event that your original data is corrupted or stolen. However, it is worth noting that replicating buckets may be expensive and may increase the attack surface. To prevent your data from being compromised, it is essential to balance these considerations with best practices.
To prevent ransomware from damaging your data, it is essential to take steps to isolate systems as soon as they appear on your network. The most effective way to protect your data is to ensure it is secure on your endpoints and to sync it to the cloud. There are several cloud back-up solutions suitable for this purpose. Do your research to determine the best system for your agency’s needs.
Best practices
As you establish and fine turn your agency’s remote work policy and procedures, there are some best practices that you should keep in mind: You can protect your software, hardware, and data systems by hiring a cyber security firm. Even though these risks exist, most organizations have implemented cyber security measures for their homebased employees. Trends indicate that a good number of employees feel more productive at home. However, some employees feel that they have had decreased productivity since they started remote work. There are many advantages associated with working from home, but there also are some challenges, such as limited IT tools, privacy concerns, and interruptions to family life.
To avoid regulatory fines, risk management of systems, internal controls, expert analysis, and implementation are necessary. Managing cyber security risk is
PROFESSIONAL INSURANCE AGENTS MAGAZINE 26
an important responsibility for virtually every insurance agency. As the world becomes increasingly digital, cyber security issues are driving increased regulatory and legal pressure on companies.
Likely changes in the future
With the growing importance of cyber risk management, the Securities and Exchange Commission has issued several recent proposals. These proposals focus on improving the disclosures of public companies about cybersecurity. They are designed to make information about cyber risk more consistent and to address some of the significant issues that public companies have had to deal with. The SEC is proposing new rules that would require public companies to disclose cyber security incidents in a more timely fashion. These rules also would require public companies to disclose details about their cyber security strategy and risk management policies.
This proposal follows several SEC enforcement actions against public companies. The proposed rules would require public companies to disclose cyber security incidents in four business days. The SEC seeks to standardize cyber security disclosures, and believes that investors could benefit from this type of consistent disclosure.
It also is proposed that public companies disclose their board members’ cyber security experience. These requirements may encourage public companies to seek out directors with greater cyber security knowledge. However, some corporate governance professionals have suggested
that highlighting board members’ cyber security expertise could increase the risk of shareholder litigation.
Evans is the founder of USPA Nationwide Security, a protective firm operating on six continents providing close protection, fire watch and cybersecurity. After retiring in 2021, He began collaborating with USPA’s research and development team, developing its cybersecurity section (bit.ly/3uLo3Ym) as well as its autonomous drones and artificial intelligence training division.
The PIA Retirement Plan gives clients lower prices, extensive services, and less responsibility. With PIA Retirement Plan and TAG Resources you can stay on top of your business, knowing that the day-to-day responsibilities of your 401(k) plan are being looked after.
PIA.ORG 27
www.tagcobrand.com/pia Learn more: Every Successful Company,
No Matter The Size, Should Offer A 401(k) Plan
New PIA Northeast Member Benefit
Call (800) 424-4244, ext. 408 | Web www.pia.org Why PIA is the Best Choice for E&O • Our professional liability and cyber liability programs are designed for your agency’s needs and risk exposures • Critical coverage options—especially important when many agents are working remotely • Top-rated, stable E&O carriers • Experience & expertise from our team PIA is here to help you navigate through uncertain times, so let’s make sure you have great errors-and-omissions coverage at a competitive price. We’ll Navigate Your E&O Coverage You Focus on Business Scan to learn more and get a quote.
WE PICTURE THE WORST FOR YOU. WHOLESALE BROKERAGE | BINDING AUTHORITY | EXCLUSIVE PROGRAMS JencapGroup.com
Managed Services Cyber Security Unified Communications
Social engineering risk mitigation for cyber loss
You may be familiar with the concepts of social engineering and creating a human firewall in the context of information security. For those who don’t know, social engineering is defined as the use of deception to manipulate individuals into performing actions or divulging confidential or personal information that may be used for fraudulent purposes. A human firewall refers to the awareness level that all users must have to ensure that they provide an effective layer of security.
Employee behavior can have a big impact on information security for organizations. If those with legitimate access to your network can be manipulated into revealing their passwords or allowing unauthorized people to use their computers, all your information security tools may be worthless. What follows are some pre-loss, risk management ideas to help prevent unauthorized intrusions into your agency systems.
Reduce the likelihood of social engineering fraud
Many social engineers do not even possess a high level of technical skill. It is their people skills—their charm, trickery or intimidation— that get them where they are not supposed to be by convincing legitimate employees to disclose information that compromises the security of data, computer systems and
PIA.ORG 31
E&O UTICA NATIONAL INSURANCE GROUP
©2022 Chubb. Coverages underwritten by one or more subsidiary companies. Not all coverages available in all jurisdictions. Chubb®, its logo, and Chubb. Insured.SM are protected trademarks of Chubb. chubb.com
Proud to 7.5 x 4.75 Professional Insurance Agents.indd 1 12/7/22 10:48 AM
Proud to Support Professional Insurance Agents
networks. To prevent this, remember that the human firewall’s best weapon is common sense. How you can help:
• Provide security awareness training to ensure all staff members are aware of potential threats and can recognize social engineering attempts.
• Use strong passwords or passphrases and implement multi-factor authentication wherever possible.
• Dispose of nonpublic information properly by shredding it and do not leave nonpublic information unattended.
• Develop an incident response plan and test it periodically to ensure everyone knows how to respond to incidents and report them immediately to minimize any potential damage.
• Ensure you have a comprehensive set of information security policies and methods to ensure that everyone is following them consistently.
Key elements in security policies to mitigate social engineering risks include the following:
• Possess strong password policies (e.g., no generic accounts, all activity must be able to be traced to an individual, no sharing of accounts, penalties for violations, etc.).
• Data classification should clearly outline the information that is considered nonpublic (i.e., personally identifiable information, private information, protected health information, etc.).
• Build in device and software controls to regulate what users can and cannot do or install on their equipment and restrictions that they are used for work purposes only. Do not mix business with pleasure.
• Install antimalware to ensure that a comprehensive solution is implemented to detect and block any malicious activity.
• Implement access controls for periodic (at least bi-annually) review of access to all systems. Keep evidence of the review and approval of the current access list by a senior manager.
• Monitor the actions of employees to validate that tasks performed are for work purposes and to detect abnormal activity.
• Employ data loss prevention tools to detect exfiltration of nonpublic information from your systems.
• Focus on physical security to ensure only authorized personnel have access to areas containing nonpublic information.
• Require that computers be locked by users when they are left unattended. Do not rely on systematic locking mechanisms.
• Execute a risk assessment at least annually to evaluate the effectiveness of security controls and to understand any gaps.
• Perform a cybersecurity-focused risk assessment for all third-party service providers at least annually to ensure they also have implemented effective information security procedures.
To prevent a possible social engineering incident, employees should think about or ask themselves to stop and think:
• Did you request this information?
• Are you expecting this request?
• Do you know the person requesting this information or asking you to act?
• Are you the right person to provide this information?
• Is there a specific business reason you would be asked for this information?
• Are you being asked for personal information?
• Does the request seem overly urgent or rely on your goodwill and genuine desire to be helpful to others?
There are instances when it is better to not be curious. Don’t open an attachment because it looks enticing or promises a benefit to you. Just delete it. Likewise:
• Never divulge personal information via phone or unsecured websites.
• Never click on links, download files, or open attachments from unknown senders.
• Be particularly aware of phone vishing as this tactic is becoming more popular.
• Beware of pop-ups and never enter personal information in one.
Remember, if it sounds too good to be true, it probably is. Nothing is free in the cyberworld. If you sign up for a free coupon, free newsletter, social-media site, realize that all your information is being used and sold in the cyberworld.
Your most important asset is your people. That also is true when it comes to cybersecurity in your agency. Educate them. Train them. Remind them to use their common sense. If it sounds phishy—it probably is.
PROFESSIONAL INSURANCE AGENTS MAGAZINE 32
Social engineering terms to know
Phishing: An email, instant message, comment, or text message that appears to come from a legitimate company, bank, school, or other institution, typically sent to several users.
Spear phishing: A phishing attempt that is targeted to a specific user or group. Vishing or voice phishing: The use of a phone (cell or landline) to attempt to gather personal or financial information from the target.
Smishing: A text message to a cell phone to get the user to click on a link or reply by texting a random phone number or truncated number (e.g., 44567).
Pretexting: An attacker pretends to legitimately need personal or financial data to confirm the identity of the recipient.
Baiting: A pop-up or download request meant to get your attention to trick you into clicking on it. Some examples may be a free popular movie, song, item to purchase, free item, or monetary incentive. The victim is prompted to log in, which typically grants remote access to the hacker or opens access to your computer that the hacker will use later.
Scareware: Tricking the victim into thinking the computer is infected with malware or that he or she has inadvertently downloaded illegal or malicious content. The attacker offers to help the victim fix the computer when the victim grants access to it.
Rogue: Malware that poses as security software to trick the victim into paying for the fake removal of malware.
Water holing: When an attacker attempts to compromise a specific group of people by infecting websites the group is known to visit to gain network access.
Diversion theft: When attackers try to trick a delivery company into going to the wrong location and try to intercept the delivery.
Tailgating: When someone attempts to slip into a building behind a user, who has a valid area-entry badge.
Quid pro quo: When an attacker pretends to provide something in exchange for the target information or assistance. A hacker may call a selection of random numbers within an organization and pretend to be calling back from a legitimate tech support group.
Honey trap: When an attacker pretends to be a desirable person to interact with online or a person trying to establish a fake online relationship intended to gather sensitive information through that relationship.
Utica National Insurance Group and Utica National are trade names for Utica Mutual Insurance Company, its affiliates and subsidiaries. Home Office: New Hartford, NY 13413. This information is provided solely as an insurance risk management tool. Utica Mutual Insurance Company and the other member insurance companies of the Utica National Insurance Group (“Utica National”) are not providing legal advice, or any other professional services. Utica National shall have no liability to any person or entity with respect to any loss or damages alleged to have been caused, directly or indirectly, by the use of the information provided. You are encouraged to consult an attorney or other professional for advice on these issues. © 2023 Utica Mutual Insurance Company
PIA.ORG 33 To access, visit “Tools and Resources” at pia.org Hiring made easy Let PIA help with your staffing needs! We’ve created the Agency Staffing Assistance Program— an online member service that helps you find and keep good employees. 116225 919
These are the Workers’ Comp Markets You’re Looking for! 2270-D-2022 Market Access Only With Your PIA Membership (800) 424-4244, ext. 318 | memberservices@pia.org | https://bit.ly/3Rpe5oc Provided in partnership with Agency Resources Scan to Get Started Hundreds of class codes A low-minimum premium Quick turnaround Simplified submission process Trusted carriers Competitive commissions Exclusive Features for PIA Members Painting Plumbing Restaurants Retail And, more … Auto Body Cabinet/Floor Installation Electrical Grocery/Deli/Supermarkets Landscapers Masonry Program Appetite Guide
Have a question? Ask PIA at resourcecenter@pia.org
Excluded drivers, bike accidents and more
Test drives
Q. Where does it say that the personal auto policy is the primary insurance when someone is test driving a car?
A. Generally, coverage under the named insured’s personal auto policy is excess if the vehicle is not owned.
However, an exception is mandated by Motor Vehicle Law Section 14-60 when the non-owned vehicle belongs to a garage that sells or repairs vehicles. For more information, see Item II.C. Other Insurance of the PP 01 54 endorsement, which reads as follows:
Any insurance we provide for a vehicle you do not own shall be excess over any other collectible insurance unless it is a vehicle insured under a policy affording coverage to a named insured engaged in the ‘business’ of selling or repairing motor vehicles. If this occurs, and the accident arises out of the operation of such vehicle by you or a ‘family member’ who is neither the person engaged in such ‘business’ nor such person’s employee or agent, we will provide primary insurance.
In this case, the personal auto policy is primary (as revised by the Amendment Of Policy Provisions–Connecticut PP 01 54 endorsement) and the garage policy is excess (as revised by the Connecticut Changes CA 01 07 endorsement).—Dan Corbin, CPCU, CIC, LUTC
Excluded drivers
Q. How can insurers exclude a specific driver from a private-passenger auto policy?
A. Connecticut state law delineates the minimum required coverages for private-passenger auto policies (C.G.A. 38a-335(d)). It states that, with respect to the insured motor vehicle, the coverage afforded under the bodily injury liability and property damage liability provisions in any such policy shall apply to the named insured and relatives residing in his household unless any such person is specifically excluded by endorsement. All such endorsements must be filed with and approved by the insurance commissioner.—Clare Irvine, Esq.
Coverage for bike accidents
Q. My insured’s car was hit and damaged by a bicyclist. To which policy— household auto or homeowners—should my insured look to recover for
the damage caused by the bicyclist’s negligence?
A. The bicyclist’s homeowners policy. The personal auto policy insures autos and trailers for property damage liability, but excludes vehicles having less than four wheels (e.g., a motorcycle or bicycle).
The homeowners policy only excludes the operation of “motorized” vehicles, so coverage will apply to the use of a bicycle.—Dan Corbin, CPCU, CIC, LUTC
Flood-damaged personal auto
Q. My client’s car was damaged in a hurricane. Specifically, it was caught in a flood and was inundated with water. What should she expect for insurance coverage?
A. This loss is covered if your client has “Other than Collision” (comprehensive) coverage on her personal auto policy.
PART D–Coverage For Damage To
Your Auto states that “Loss caused by the following is considered other than ‘collision’: ... 6. Hail, water or flood ” [emphasis added].—Dan Corbin, CPCU, CIC, LUTC
PIA.ORG 35 ASK PIA PIA TECHNICAL STAFF
x Get your quote today! (800) 424-4244 | memberservices@pia.org Employee Benefits for Insurance Agencies Let the PIA Members’ Choice group benefits program take care of your agency. Medical Dental/vision LTD with Reliance Standard Term life with Reliance Standard PIA’s curated programs for member agencies and brokerages feature carrier selection, flexible coverage, top-notch customer service, and claims assistance when you need it.
PIACT Strategic Partners
Gold Silver
As of publication date. For more information go to pia.org. Platinum
DIRECTORY Readers’ service and advertising index PROFESSIONAL INSURANCE AGENTS MAGAZINE Name Agency Address City/town State ZIP Phone Check advertisers of interest, complete form and mail to: PIACT • 25 Chamberlain St. P.O. Box 997 • Glenmont, NY 12077-0997. Or, fax (888) 225-6935.
7, 8 2Secure
11 Agricultural Insurance Management Services
BC Applied Underwriters
24 Berkshire Hathaway/Guard Insurance Companies
12 Brooks Insurance Agency
31 CHUBB
2 Concord Group Insurance
29 JENCAP
9 Lancer Insurance
16, 17 Omaha National
27 PIA 401(k)
33 PIA ASAP
28, 38 PIA E&O Insurance
14 PIA Email
36 PIA Members’ Choice Options
23 Motiva
34 PIA NumberONE Comp Program
22 PIACT Convention
15 Premins Company
30 TAG Solutions 38 Your E&O Quote is Waiting (800) 424 -4244, ext. 408 quote@pia.org www.pia.org PIA is here to help you navigate through uncertain times, so let’s make sure you have great errors-and-omissions coverage at a competitive price.
Coverage,
When You Need Reliable Agency E&O
Count on Us
PIACT 2022-2023 Board of Directors
OFFICERS
President
Bud O’Neil, CPIA
C.V. Mason & Co. Inc. PO Box 569 Bristol, CT 06011-0569 (860) 583-4127 boneil@cvmco.com
President-elect
J. Kyle Dougherty, CIC Dougherty Insurance Agency Inc. 2420 Main St., Ste. 5 Stratford, CT 06615-5963 (203) 377-4394 kyle@doughertyinsurance.com
Vice President
Nathan L. Shippee Workers’ Comp Trust 47 Barnes Industrial Road S. PO Box 5042 Wallingford, CT 06492-7542 (203) 678-0110 shippee@wctrust.com
Vice President
Nick Ruickoldt, CPIA
The Russell Agency LLC
317 Pequot Ave. PO Box 528 Southport, CT 06890-0528 (203) 255-2877 nruickoldt@therussellagency.com
Treasurer
Kevin P. McKiernan, CIC, CPIA Abercrombie, Burns, McKiernan & Co. Insurance Inc. 484 Post Road, Ste. A Darien, CT 06820-3651 (203) 655-7468 kmckiernan@abmck.com
Immediate Past President
Shannon Rabbett, CIC Rabbett Insurance Agency 233 Addison Road PO Box 665 Windsor, CT 06095-0665 (860) 688-1303 shannon@rabbett-insurance.com
PIA NATIONAL DIRECTOR
Jonathan Black, LUTCF, CPIA, CLTC, NAMSA, NSSA Curtis Black Insurance Associates LLC
57 North St., Ste. 119 Danbury, CT 06810-5626 (203) 792-3055 jblack245@gmail.com
DIRECTORS
Katie Bailey, CPIA, ACSR, CLCS The Russell Agency LLC 317 Pequot Ave. PO Box 528 Southport, CT 06890-0528 (203) 255-2877 kbailey@therussellagency.com
Scott Burns
XS Brokers Insurance Agency Inc. 225 Asylum St. Hartford, CT 06103-1516 (617) 471-7171 sburns@xsbrokers.com
Nicholas Fanelli, CIC, CPCU, CLU Newberry Insurance Group 1760 Ellington Road South Windsor, CT 06074-2715 (860) 648-6330 papabearct38@gmail.com
Nicholas Khamarji Jr. New England Insurance PO Box 125 Easton, CT 06612 (203) 445-3594
NGK325@gmail.com
Patrick Walsh Insurance Provider Group
100 Great Meadow Road, Ste. 705 Wethersfield, CT 06109-2355 (860) 764-0555 pat@insuranceprovidergroup.com
PIACT-YIP REPRESENTATIVE
Ryan Kelly
AJ Gallagher Risk Management
1 Enterprise Dr., Ste 310 Shelton, CT 06484-4631 (203) 367-5328 ryan_kelly@ajg.com
ACTIVE
PAST PRESIDENTS
James R. Berliner, CPCU Berliner-Gelfand & Co. Inc. 188 Main St., Ste. A Monroe, CT 06468-1149 (203) 367-7704 jim@berlinerinsurance.com
Mark Connelly, CIC Fairfield County Bank Insurance Services 401 Main St. Ridgefield, CT 06877-4513 (203) 894-3123 mark.connelly@fcbins.com
John DiMatteo DiMatteo Insurance 79 Bridgeport Ave. Shelton, CT 06484-3254 jdimatteo@dimatteofinancial.com
Peter Frascarelli, CPIA Ferguson & McGuire 6 North Main St. Wallingford, CT 06492-3741 (203) 269-9565 pfrascarelli@fergusonmcguire.com
Michael F. Keating Michael J. Keating Agency Inc. 10 Arapahoe Road PO Box 270048 W. Hartford, CT 06127-0048 (860) 521-1420 mfkeating@keatinginsurance.com
Howard S. Olderman
Olderman & Hallihan Agency
400 Main St. Ansonia, CT 06401-2303 (203) 734-1601
howard@oldhalins.com
Gerard Prast, CPIA
XS Brokers Insurance Agency Inc. 13 Temple St., Floor 1 Quincy, MA 02169-5110 (617) 471-7171 gprast@xsbrokers.com
Augusto Russell, CIC Insurance Provider Group 100 Great Meadow Road, Ste. 705 Wethersfield, CT 06109-2355 (860) 764-0555
augusto@insuranceprovidergroup.com
Timothy G. Russell, CPCU The Russell Agency LLC
317 Pequot Ave. PO Box 528 Southport, CT 06890-0528 (203) 255-2877
trussell@therussellagency.com
DIRECTORY
Workers’ Compensation • Transportation – Liability & Physical Damage • Fine Art & Collections • Structured Insurance Construction – Including New York and Project-Based Primary & Excess Liability • Financial Lines • Aviation & Space Homeowners – Including California Wildfire & Gulf Region Hurricane • Environmental & Pollution Liability • Public Entity Shared & Layered Property • Warranty & Contractual Liability • Reinsurance • Infrastructure • Surety • Entertainment & Sports ...And More To Come. MORE TO LOVE FROM APPLIED.® MORE IMAGINATION. ©2023 Applied Underwriters, Inc. Rated A (Excellent) by AM Best. Insurance plans protected U.S. Patent No. 7,908,157. It Pays To Get A Quote From Applied.® Learn more at auw.com/MoreToLove or call sales (877) 234-4450