How do I Advise My Clients On Most? WHAT MATTERS An insurance agent’s guide to cybersecurity Page 18 IN THIS ISSUE February 2023 • New York 9 Managing risks, cyber liability policies 25 Challenges with remote workers 31 Social engineering risk mitigation
In a Competitive World, Results Matter! Win and Retain More Business with a Lovell Safety Group Lovell Safety Management Co., LLC 110 William Street New York, NY 10038-3935 212-709-8600 | 1-800-5-LOVELL www.lovellsafety.com Over $1.15 Billion in Dividends Issued to Date Discounts up to 35% Call us for a Quote Today at 800-556-8355 Get a Quick Estimate by Visiting our Website at www.LovellSafety.com Lovell has been the leader in workers’ compensation insurance since 1936. Learn more about our unbeatable safety group programs for: • Building Metal Trades • Cleaners • Construction • Electrical Manufacturers • Hospitals • Launderers and Cleaners • Municipalities • Painters and Decorators • Paper Products Manufacturers • Retail Lumber • Roofers and Sheet Metal Workers • Truckers, Movers, and Warehouse people
Statements of fact and opinion in PIA Magazine are the responsibility of the authors alone and do not imply an opinion on the part of the officers or the members of the Professional Insurance Agents. Participation in PIA events, activities, and/or publications is available on a nondiscriminatory basis and does not reflect PIA endorsement of the products and/or services.
President and CEO Jeff Parmenter, CPCU, ARM; Executive Director Kelly K. Norris, CAE; Communications Director Katherine Morra; Editor-In-Chief Jaye Czupryna; Advertising Sales Executive Calley Rupp; Senior Magazine Designer Sue Jacobsen; Communications Department contributors: Athena Cancio, David Cayole, Patricia Corlett, Darel Cramer, Anne Dolfi and Lily Scoville. Postmaster: Send address changes to: Professional Insurance Agents Magazine, 25 Chamberlain St., Glenmont, NY 12077-0997.
“Professional Insurance Agents” (USPS 913-400) is published monthly by PIA Management Services Inc., except for a combined July/August issue. Professional Insurance Agents, 25 Chamberlain St., P.O. Box 997, Glenmont, NY 12077-0997; (518) 434-3111 or toll-free (800) 424-4244; email pia@pia. org; World Wide Web address: pia.org. Periodical postage paid at Glenmont, N.Y., and additional mailing offices.
©2023 Professional Insurance Agents. All rights reserved. No material within this publication may be reproduced—in whole or in part—without the express written consent of the publisher.
COVER DESIGN Anne Dolfi Vol. 67, No. 2 February 2023 February 2023 • New York COVER STORY 18 How do I advise my clients on what matters most? An insurance agent’s guide to cybersecurity FEATURE 25 Cyber security challenges and remote workers Trends and best practices DEPARTMENTS 4 In brief 9 Tech 13 Sales 31 E&O 35 Ask PIA 41 Officers and directors directory 42 Readers’ service and advertising index
TOP 10 CYBER SECURITY TRENDS TO WATCH OUT FOR IN
PASSWORD TIPS TO PROTECT YOUR AGENCY & CLIENTS:
1.Rise of automotive hacking. The more smart devices that people use (connected through Wi-Fi and Bluetooth) the more opportunities hackers have to attack and take over these devices, or eavesdrop via microphones.
2.Potential of artificial intelligence. AI is being used to develop smart malware and attacks to bypass the latest security protocols in controlling data.
3.Mobile is the new target.
Mobile banking malware or attacks in 2019 increased by 50%. Other information on smartphones that can be highjacked: photos, financial transactions, emails and messages.
4.Cloud is potentially vulnerable. Cloud applications (e.g., Google or Microsoft) are well equipped with security on their end, users still need to be aware of erroneous errors, malicious software and phishing attacks.
LOGIN:
STRONG PASSWORDS TO USE:
» 16 characters long
» Include capital letters or lower case letters
» digits and punctuation marks
» DO NOT include personal information
WEAK PASSWORDS: DO NOT USE
» 123445
» password
» Social Security number
The average cyber claim payout is in the millions. Don’t take the risk.
Arm your agency with a cyber liability policy from PIA. Your agency depends on your computer system, confidential client information and website operation every day. PIA’s coverage gives you options ... protect your agency—and your livelihood— now.
5.Data breaches: Prime target. Remember: Any minor flaw or bug in your system browser or software can be exploited by hackers to access personal information. Keep all your systems current and updated.
6.IoT with 5G Network: The new era of technology and risks. 5G architecture is comparatively new and it requires a lot of research to find loopholes to make the system secure from external attack.
7.Automation and integration. The more systems that are automated the more safeguards that are needed to make sure that a system is secure.
8.Targeted ransomware.
Another important cyber security trend that can’t be ignored is targeted ransomware. Training your employees to be cautious about phishing attacks can help keep your agency more secure.
9.State-sponsored cyber warfare. The cyber fights between different countries will continue to be an issue in 2023. We should continue to see high-profile data breaches this year.
10. Insider threats.
AA data-breach report by Verizon stated that 34% of total attacks were directly or indirectly made by the employees.
4 PROFESSIONAL INSURANCE AGENTS MAGAZINE
IN BRIEF
2023
‘See it in the Eyes’ ransomware attack, a case study
Yigal Behar, president/CEO, 2Secure Corp.
When the “See it in the Eyes” ransomware attack occurred in 2022, it took approximately 16 hours to detect it, and it involved the Phobos Ransomware, aka Eight Virus. The victim, a jewelry company was unable to open its business the next day following the attack. All its servers with it files, emails and databases were encrypted. Making matters worse, the backups for the applications and data also were encrypted, because they were not stored off-site, but on the same system as the business-critical files.
By the time a resolution had been reached, 71 days had passed, and it cost the owners of the store $35,000 to rebuild its entire digital presence, the virtual servers, and the applications that it used to processes in-store and e-commerce orders. An estimate of $285,000 was paid out in soft costs, and $25,000 was paid directly to the attackers to restore the data.
Many people believe that cyberattackers primarily target big corporations, because of the potential for a big monetary payout. This example refutes this thinking, because the targeted company was a small jewelry store, with only 30 employees. The company was targeted because its cyber security measures were inadequate (i.e., its backups were located on-site and on the same network as the primary data, and a networking misconfiguration).
Cybercriminals take great delight in attacking small businesses, because there are so many of them, and because many of them take cybersecurity too lightly. The truth is, no one is immune from cyberattacks, and every business that has any assets is subject to attack. In the case of the jewelry store, the one thing it did right was purchase cyber security insurance.
About the ransomware
The Phobos Ransomware, aka Eight Virus, is not new. It appends segments on to file names making them unrecognizable to any operating system. The appended segments include the file’s original name, your company ID (so they know who they attacked), an email address you can use to contact them, and the word “eight” (hence the virus name). Even if you could rename the file to make it recognizable, the encryption makes it unreadable. Currently, there are no effective decryption tools available to help with data recovery.
This ransomware was effective in disrupting the business, and in addition to the money paid to the attackers, and
the cost to rebuild the entire infrastructure, there was an additional soft cost of $285,000. This was the amount of money that had to be paid to employees during the 71 days the business was down, which the store was unable to bring in through earnings. Of course, the company was obliged to shut down during that entire period, because it had no inventory data to draw on, and no way to record sales.
Timeline of the attack
The attack occurred on Sunday, April 10, 2022, at 6:45 p.m., when the store was closed. The servers were unprotected and vulnerable to attack. The encryption was carried out overnight, and by Monday morning, the IT manager called to report a blue screen on the host virtual machine, which led her to think there was a problem with the operating system.
All workstations were affected, as well as the virtual host server and the network-attached server. By Monday afternoon, it was apparent that the jewelry store owners should contact their insurance company, as well as the FBI to begin an investigation. Recovery was started on Tuesday by the forensic company, which started to analyze the cause of the breach.
On Wednesday, a temporary email Microsoft Exchange was setup, so the store could have some communication with clients and business associates. However, it wasn’t until June 23 that the store had recovered to the point when it had a fully functioning system and could carry on business as usual.
However, during the 71-day recovery period, the business’s website suffered an attack, and it was significantly defaced. Clearly, the website lacked adequate protection from cyberattack, and it was just as vulnerable as the business’s host network. When the files were recovered, it was discovered that many emails had been corrupted and included malware, which could have launched a secondary attack. All these were successfully removed, and any further disaster was thwarted.
How did the ransomware enter the victim’s system?
An improperly configured firewall left a port open to attack, and this provided the entry point for the ransomware to penetrate the system. The firewall had been configured with security in mind, and some of the ports were changed to thwart a cyberattack. However, cyber(continued on page 6.)
5 PIA.ORG FYI
criminals will go through the entire port range until they find something that appears vulnerable, and that is what happened in this case.
No one is immune from a cyberattack. Committed criminals will keep working until they find a way to breach your system. The fact that saves most businesses is that cybercriminals haven’t heard about them yet, and they haven’t focused on carrying out attacks on those systems.
The lingering damage
Any business that is forced to close for over two months will suffer serious financial loss. In addition, any breach like this quickly becomes public knowledge and results in a loss of confidence in the business that was attacked. Casual observers may feel that the affected business lacks adequate security measures, and they are hesitant to do business with them. That loss of confidence translates to ongoing loss of business for a business because customers prefer to patronize more secure companies.
No one wants to have their personal data exposed to cybercriminals, because they fear that they could become the next victims.
Suppliers and vendors also are hesitant to resume business relationships, knowing that the business has suffered a major security breach, and that they could be indirectly affected by it.
Most businesses that are victims of an attack take a while before they fully recover, and regain the confidence of clients, vendors, and other business associates.
The cost of suffering a ransomware attack goes beyond the monetary amount the business is obliged to pay out, but can continue on into the future like a ripple effect.
Ransomware backup
The jewelry store attacked by the Phobos Ransomware could have avoided this heartache and financial damage by having adequate backups of data and virtual servers prepared. It doesn’t matter whether you have backups stored off-site or on the cloud, it’s just essential to have backups you can access if someone hijacks your businesscritical data and holds it for ransom.
If you still are using tape backups, keep in mind that damage can occur to the magnetic component of tapes over time, so they will need to be replaced at least annually. In addition, it will take longer to restore the data off the tapes.
And, cloud-based backups also can be breached if the vendor’s security is compromised. It’s good to remember that there is no security protection system that can give you complete protection against cyberattacks—so you should plan for multiple contingencies.
Don’t forget about insurance
Another good step to take to protect your agency is to acquire insurance against attack. In the event you are attacked, you’ll have to pay a higher premium afterward because you demonstrated that your security could be breached. However, the increased cost of premiums is well worth it, so you don’t end up bearing the entire
financial cost of damages yourself. [EDITOR’S NOTE: Don’t leave your own agency exposed to the aftermath of a data breach—PIA offers you access to a cyber liability policy for your agency. Get a quick quote today. Logon to: www. pia.org/quote/cyber.php.]
The jewelry store could have faced financial ruin if it hadn’t purchased cyber security insurance beforehand. It managed to avert total disaster because it didn’t have to pay all those costs mentioned in this article on its own. Whatever the cost of insurance, backups and security measures, it will be far less than what it would cost if your agency is obliged to close its doors forever.
Behar is president/CEO of 2Secure, a cyber security assessment company. Reach him at (646) 560-5083 or cyber@2secure. biz. You can download his book Digital War–The One Cybersecurity Strategy You Need to Implement Now to Secure Your Business for free at http://www.2secure. biz/. The book also is available on Amazon in paperback or Kindle versions at a discount.
PROFESSIONAL INSURANCE AGENTS MAGAZINE 6
Suppliers and vendors also are hesitant to resume business relationships, knowing that the business has suffered a major security breach, and that they could be indirectly affected by it.
FYI (continued from page 5.)
CLARE IRVINE, ESQ. Government affairs counsel, PIA Northeast
Managing risks with cyber liability policies
On Sept. 8, 2022, Suffolk County, New York, learned a professional hacking group known as BlackCat had gained unauthorized access to over 20 agencies with the county. Everybody from the police forces, to social services, to emergency dispatchers were forced to figure out a way to continue providing services to the county without their computers, data, email or internet.1
For almost a month, the county could not even perform a title search, which halted real estate transactions. Shortly after the hack, nonpublic information accessed by the attackers turned up on the Dark Web, including everything from sheriff’s records, to county contracts, to personal information on county residents.
Prior to the attack, Suffolk County had invested in cybersecurity and conducted simulations specifically to prepare for such an event. Yet, the
county’s systems lacked safeguards— such as multi-factor authentication that have rapidly become standard for security purposes—and it remained exposed to an attack.
Cyber liability insurance policies will never fully protect a business from a cyberattack or cover all the subsequent costs of maintaining business operations. Yet in a rapidly changing area, they offer comprehensive risk management by proactively forcing businesses to rethink their security systems on a regular
PIA.ORG 9 Steer Your Contractor and Used Car Dealer Risks to the Pros Turn to the folks that understand your clients’ businesses, deliver A- (Excellent) rated commercial auto and garage liability coverages, and provide the resources and support you need to achieve profitable growth. Business Auto Liability and Physical Damage • Contractors – Commercial Building, Electrical, HVAC, Painting, Plumbing, Roofing, Janitorial Services and more Garage Liability — Used Car Dealers • Dealer and Transporter Plates Writing in NY, NJ, PA, & CT* • Convenient Online Quoting • 24/7/365 Claims Reporting • Flexible Payment Options Contact us today: 516-431-4441 x3507 producer@lancerinsurance.com www.lancerinsurance.com * Please contact us for a list of available products and coverages by state
TECH
basis in ways that can reduce the potential damage of an attack drastically and allow for continued business operations. Thinking about a cyber liability policy as a more comprehensive tool to protect a business could show an organization how to prepare to keep operating and minimize the damage done by a security breach.
The application as a risk manager
In the last decade, multi-factor authentication has gone from a rarity to a standard business practice. Cyber liability applications and policies reflect this shift. Applications reflect cyber security measures that range from expected practices to newer measures designed to protect against current attacks. Questions also involve system designs and data storage to reflect how these structures and decisions may impact the severity of a cyberattack and the aftermath. Beyond a cyberattack, these also may help with business recovery after a natural disaster (think off-site backups).
Cyber liability policies and the accompanying applications are living documents, updated frequently to reflect the rapid changes in the risks. As a result, the questions asked about a cyber security program and system design give strong indicators regarding what measures businesses should consider adopting. In a review of cyber liability policies, the RAND Corp. found that the questions may vary, but fall into four general categories: 1. organization; 2. technical; 3. policies and procedures; and 4. legal compliance.
These categories reflect the factors of a comprehensive data security system. Simply installing a firewall and requiring a password does not protect a computer system. Increasingly, human behavior leaves businesses susceptible to security breaches through phishing emails. Plus, it provides ways for a hacker to access an organization’s entire data system. Simply limiting access to critical systems may not prevent an attack, but it can reduce the damage done by containing it.
Unlike regulatory requirements, cyber liability applications are regularly updated to reflect recent attacks and changes to the recommended best practices. Understanding the application questions and their purpose can help an insured complete the forms and emphasizes why certain policies may be required. While many measures included on an application may not be required by the cyber liability carrier for that policy, that also could change rapidly as well.
Understand the limits
In a study of over 100 CFOs and senior financial executives, FM Global found that 45% of those surveyed executives thought their cyber liability policy would cover most of the related losses from a cyber security event, while 26% of respondents expected all losses to be covered.2 Yet, with the high cost of cyberattacks, insurers write policies to reduce and contain their own exposure. The coverage should be evaluated based on what’s covered, what’s excluded, and the applicable sublimits to ensure proper understanding of the policy and potential exposure following a loss.
Generally, coverage for first-party covered losses breaks coverage into four categories: 1. data compromise response; 2. identity recovery; 3. computer attack;
and 4. cyber extortion.3 When it comes to third-party coverage, the sublimits get broken down into compromised data, network security, and electronic media. While the lack of standardization makes it important to review each policy’s specific coverage terms, the evaluation of policies by the RAND Corp., found that there was not substantive variation in policy coverages. The variations came from the policy exclusions, which could create problems for policyholders. Cyber liability policies may exclude criminal, fraudulent, or dishonest acts. Physical harm also may be excluded despite also being a potential data breach. As cyberattacks become more complex, the exclusions may reflect the changes as insurers attempt to reduce their own exposures to increasingly expensive breaches.
The costs of a cyberattack
Beyond the challenge of understanding cyber liability policies is the cost. Underwriting cyberliability proves far more challenging for carriers due to the rapidly changing nature of the losses and lack of historical data. The costs of data breaches have been increasing, especially with the rise of ransomware attacks. From 2020 to 2021, the average cost of a security breach has risen 10% with those costs almost certain to increase in 2022.4 IBM Security estimates each piece of personal identifiable information stolen in a cyber security breach costs $180 alone.5 While insurance could cover some of the expenses, other costs associated with a security breach would be excluded or not covered by the standard policy. Some of the costs, especially those associated with lost business and reputational damage, may be
PROFESSIONAL INSURANCE AGENTS MAGAZINE 10
difficult to quantify much less try to make up with an insurance policy. This leads back to the questions on the application offering pointers to reducing the potential costs along with the risks. Businesses with more developed security systems updated frequently to respond to contemporary threats face reduced costs following a cyber security breach. System design and offline system backups can further reduce costs by containing a potential breach and protecting records. The sublimits within a cyber liability policy further emphasize the need to think of the potential costs when reviewing a data security system to balance out the proactive steps to protect a business from a cyberbreach and finding an available cyber liability policy to cover some costs.
Conclusion
Reviewing the cyberattack on Suffolk County strongly suggests an interconnected system that made it impossible to contain the damage. The aftermath also shows how crippling such an attack can be on an organization with the county unable to accept any online payments over two months after it took the computers offline.
Cyber liability insurance cannot stop a business from being attacked. However, independent agents who understand the role of updated requirements in policies and the extent of the policy’s sublimits and exclusions can help their clients understand how to manage these risks in a way that allows for an attack to have a minimal impact on their operations.
Irvine is PIA Northeast’s government affairs counsel.
1 The New York Times , 2022 (nyti.ms/3hxunQ5)
2 FM Global, 2019 (bit.ly/3HCbGWj)
3 Sasha Romanosky, Lillian Ablon, Andreas Kuehn, Therese Jones. “Content analysis of cyber insurance policies: how do carriers price cyber risk?” Journal of Cybersecurity. Volume 5, Issue 1. February 2019
4 IBM Security, 2021 (ibm.co/3WgjHUP)
5 Ibid.
PIA.ORG 11
Please refer to actual policy for details. Policies are underwritten by Great American Insurance Company, Great American Insurance Company of New York, Great American Alliance Insurance Company, and Great American Assurance Company, authorized insurers in 50 states and the DC. Products not available in all states. © 2023 Great American Insurance Company, 301 E. Fourth St., Cincinnati, OH 45202 5637-AGB (02/23) Bow, NH 877.552.2467 aimscentral.co m TM FROM THE FARM AND RANCH PROFESSIONALS AT HAVE AN UDDERLY FANTASTIC VALENTINE’S DAY!
Brooks Insurance Agency is proud to support Professional Insurance Agents (PIA)
Since its founding in 1991, Brooks Insurance Agency has successfully serviced the standard markets and brokered distressed and complex lines of business. We are here to help agents find the coverage their clients need.
We represent 80+ quality carriers, including several new and exciting markets, across the country. Plus, a broad array of products and services in admitted and non-admitted markets.
MARKET STRENGTHS AND EXPERTISE
• Broad market reach
• High-touch broker specialists
• Easy, online quoting process
• Collective approach to complex insurance needs
Visit our website at www.brooks-ins.com.
Brooks Group Insurance Agency, LLC NJ License 1575143
BROOKS IS YOUR FULL-SERVICE WHOLESALER How can we help you? Call us at 732.972.0600 or email us at info@brooks-ins.com © 2023 Brooks Insurance Agency, LLC is a wholly-owned subsidiary of Venbrook Group, LLC. All rights reserved.
DAVE KAHLE President, Kahle Way Sales Systems
The solution: Is it them, or is it me?
In this rapidly changing economy, everyone is looking for a simple fix to deal with the uncertainty of our economic environment. It seems like few are happy with their situations. And, all but a few point their fingers at the changing economy and vibrant competitive environment as the source of their dismay.
The comments I overheard at one of my recent sales seminars were representative. One salesperson complained that his customers were shrinking and going out of business. Several complained about customers’ pressure to lower prices. Still others complained about desperate competitors’ feverish attempts to generate cash flow by discounting dramatically. And, of course, everyone is concerned about the lingering impact of the COVID-19 lockdown.
There must be a genetic inclination in humans to look outside ourselves and blame those things that are outside of our control for our situations. We lament the conditions outside of ourselves and cast ourselves as victims. If only someone else would fix it. Maybe the government will make everything good again.
Unfortunately, if our gaze is directed at them—those conditions in the market that have changed and are outside of our ability to control—we will never free ourselves from the constraints on our income and prosperity. We can’t do anything about them. The real secret to improving our conditions is to work on us.
As Author James Allen said: “Men are often interested in improving their circumstance, but are unwilling to improve themselves, they therefore remain bound.” What was true a hundred years ago is still true today. Salespeople, sales managers, and sales executives need to look inward—at themselves and their sales teams—for the solution to their problems.
Salespeople
It may have been OK a few years ago for salespeople to have their own style of selling, to never invest in their own improvement, and to make their living off their existing relationships. Today, all of these are obsolete ideas that must be changed. It’s time to look inward and work on yourself.
To effectively deal with the changing economy, salespeople must become more strategic and thoughtful about the investment of their sales time, and they must bring value both to the customer and to their employers in every sales call. They must view their jobs as professions, not just jobs, and become
serious about improving themselves. In many cases, salespeople will have to gain new skills in working from a home office and running sales calls via phone and video technology.
In a world where it is obvious that good salespeople sell more than mediocre salespeople, they must decide to become better salespeople. That means investing in their own improvement and striving to achieve higher levels of competency and thus, better results.
Those salespeople who survive and thrive in this climate will be those who understand the path to their prosperity lies not in the outside world, but in themselves.
Sales managers
Likewise, sales managers must stop coddling those salespeople who aren’t interested in—or committed to—continuous improvement and greater levels of productivity. They must be sensitive to those salespeople who will refuse to strive to add new skills, and they’ll need to hold them accountable for practical expectations of growth and development. They need to put in place practices and disciplines that call for quantifiable expectations on the part of their sales team, regular measurements, and greater thoughtfulness and strategic planning.
SALES
PIA.ORG 13
Email> Keep these addresses handy to reach PIA electronically
General pia@pia.org
Conference conferences@pia.org
Design + Print design.print@pia.org
Education education@pia.org
Government & Industry Affairs govaffairs@pia.org
Industry Resource Center resourcecenter@pia.org
Member Services memberservices@pia.org
Publications publications@pia.org
Young Insurance Professionals yip@pia.org
They must demand continuous improvement and thoughtful efforts to increase market share.
Sales managers must look inward, understanding that their chances of success are dependent on them, not the market—understanding they can do it better, and doing it better brings better results.
They must examine their sales forces and use this window of opportunity to weed out those salespeople who have no interest in development, who don’t have the capability to succeed as a professional salesperson, and who aren’t committed to their own personal success. Now is the time to review the bottom third of their sales forces and aggressively seek to upgrade.
Sales executives
Chief executive officers and chief sales officers need to recognize that the current state of the economy, and the resulting impact on the attitudes and perspectives of employees, has delivered a once in a lifetime opportunity to make significant changes in the structure of the sales force.
Recall just a little over a year ago. Making wholesale changes in sales territories, account responsibilities, the role of the inside and outside salesperson, sales management practices, compensation plans, and expectations for continuous improvement, would have been met with resistance from most of the sales force. Today, most salespeople are willingly to cooperate, and they are acutely aware that they can be replaced if they don’t follow your lead. Those CEOs and CSOs who look inward and use this window of opportunity to streamline and rationalize their sales systems will increase their productivity and lay the groundwork for disproportional growth when the economy shifts
The world is full of victims who lament their condition and blame their fate on sources outside of their control. Leaders accept their responsibility to look inward and improve themselves.
Kahle is one of the world’s leading sales authorities. He’s written 12 books, presented in 47 states and 11 countries, and he has helped enrich tens of thousands of salespeople and transform hundreds of sales organizations. Sign up for his free weekly Ezine (www.thesalesresourcecenter.com/dkezinesubscribe). His book, How to Sell Anything to Anyone Anytime , has been recognized by three international entities as “one of the five best English language business books.” Check out his The Good Book on Business
AGENTS
PROFESSIONAL INSURANCE
MAGAZINE
116889
CP The Premins Company The Premins Company 132 32nd St., Ste. 408 | Brooklyn, NY 11232 • (718) 375-8300 (800)599-3279 • info@premins.com • www.premins.com 117742 1021 ✔ Credit cards for a flat $8.75 fee ✔ Debit cards for a flat $3.85 fee ✔ Free e-check ✔ Free check by fax ✔ Free auto bill pay ✔ Cash payments at CVS, Walmart and most 7-Eleven stores ✔ 24-hour online account access/management ✔ If you finance NYAIP apps, it’s time to go paperless with Premins Insurance Premium Financing with Unparalleled Payment Options Providing exceptional personalized service to the premium finance industry since 1965. OF INSURANCE PREMIUM FINANCING • OVER •
x Get your quote today! (800) 424-4244 | memberservices@pia.org Employee Benefits for Insurance Agencies Let the PIA Members’ Choice group benefits program take care of your agency. Medical Dental/vision LTD with Reliance Standard Term life with Reliance Standard PIA’s curated programs for member agencies and brokerages feature carrier selection, flexible coverage, top-notch customer service, and claims assistance when you need it.
Omaha National Underwriters, LLC is an MGA licensed to do business in the state of California. License No. 078229. “A” (Excellent) rated coverage through Omaha National Insurance Company, Preferred Professional Insurance Company, and/or Palomar Specialty Insurance Company. Workers Compensation Insurance • No volume requirements • Competitive rates • Multiple options for premium payments • Open to Shock Loss/High Mods Send in your submissions today. For more information contact a marketing rep at 844-761-8400 or email us at Sales@Omahanational.com. [ Coverage in: AZ • CA • CT • GA • IL • NE • NJ • NY • PA Smart. Different. Better. You’l l l ike us because t here’s nobody l ike us.
PROFESSIONAL INSURANCE AGENTS MAGAZINE 18
RICH PHILLIPS Channel manager, Cyberstone Security
WHAT MATTERS
Insurance agents know cybersecurity is important. After all, the average cost of a critical infrastructure breach is up to $4.35 million1—a number that climbs every year. Much of this cost is attributed to lost business—a loss of money in fixing the problem itself, but also the real possibility of a loss of future revenue, too. You can’t afford to be caught off guard.
An insurance agent’s guide to cybersecurity
Most?
How do I Advise My Clients On PIA.ORG 19
Cyber concerns for insurance agents are twofold. You’ll need to safeguard your own data and systems to protect your agency from data theft, hacks, loss of reputation, and liability. You also serve as an important resource to your clients, and you can provide them with valuable information about how to mitigate their risk.
As a trusted partner for your clients, you should be able to provide basic suggestions about the most salient points of cyber security protection. As many of your clients may be on a limited budget or have only a basic understanding of the importance of cybersecurity, you should have some basic metrics in mind when broaching the topic and be able to rank the IT protocols that are most important to them.
What should you recommend your clients focus on? Some basics of cyber security protections include multi-factor authentication, vulnerability scanning, penetration testing and user security awareness training.
Multi-factor authentication for all
Multi-factor authentication is a must in today’s world. It adds an extra layer of security by requiring, as it implies, more than one method of authentication. This can include many combinations of the following: something you know (e.g., a password or code), something you have (e.g., like a keycard), or something unchangeable about you (e.g., a fingerprint or other biometric scan).
As you’re likely aware, passwords should be changed regularly. Experts suggest you should alter them at least quarterly to best protect your sensitive information.2 Passphrases are also a strong way to better protect your credentials. Your dog’s name and your favorite sports team are pretty easy for hackers to learn via social engineering, but they’ll be hard pressed to guess your password when it’s a running phrase like, “Iliketacotuesdaysandthrowbackthursdays.”
Whichever approach an organization decides to take, be sure that all members of the team are doing the same thing. Your system is only as safe as its weakest link. Properly educating your staff on the preventative measures you require is a critical part of cybersecurity best practices.
You also should recommend to your clients that they change their passwords regularly and/or use passphrases. This is true both for their accounts that have nothing to do with you (e.g., their LinkedIn or email profiles) and the login to their payment portal or insurance document account through your agency.
Keeping yourself aware of cybersecurity best practices helps you and benefits your clientele. You can be a strong advocate to protect your customers—both as someone in the know and as a party with a vested interest. After all, if they don’t change the password for their login on your portal, a breach of their system could lead to a breach of yours.
Keycards may be less relevant for many insurance agents and their clients, but be sure your staff knows not to share swipe cards or other methods of entering the building with others. This will both keep you safe and lower your liability in the event of an incident. By knowing who is coming and going and when, you can better secure both your staff members’ well-being and the data your systems contain.
Biometric passwords are likely the way of the future, with companies like Apple,3 and possibly Google and Microsoft, planning to switch to passkeys that rely on face or fingerprint recognition as the gateway to logging in. At the present time, this prevents most phishing and hacking scams from being effective. However, you should stay up to date on trends, as attacks will become more sophisticated over time. Still, if you have the option to select biometric passwords, they are a good alternative to traditional ones—both for internal systems and for client-facing portals. Multi-factor authentication most commonly involves a password and a code sent in real-time to an email or phone number. It also may involve a biometric login plus a code or a password. This dual level of protection always is better than just one. The stronger each element is within the MFA, the better.
Testing insurance agents, clients
Penetration testing also is an important part of IT for insurance agents and their clients. This assessment simulates a hacker attack to test the security of a system. By doing this, you can find weaknesses in your system and then take steps to fix them before a real attack happens. Agents should have their managed services provider or IT team conduct periodic penetration testing to verify the security of their systems. This is a critical step toward protecting the sensitive client data that you may have in your electronic files.
Not familiar with MSPs? In essence, they provide IT support and preventative services to businesses. They can help with a variety of tasks, including providing access to the latest secu-
PROFESSIONAL INSURANCE AGENTS MAGAZINE 20
rity patches and software updates, monitoring systems for signs of intrusion and malware activity, and providing guidance on best practices for cybersecurity. Working with an MSP can help insurance agents to stay protected from cyber security threats. Your MSP can handle penetration testing on your behalf.
You also can express to your clients the importance of conducting a penetration test on their own systems. Particularly, if you are sharing data back and forth electronically with your clients. This is important for two reasons: 1. it protects them, and 2. a more robust security effort on their part ultimately safeguards your system against a hacker, too. If they are infiltrated and they have shared portals to your system, you are more likely to suffer a breach.
Why agents are vulnerable?
There are a few reasons why insurance agents may be more vulnerable to cyber security threats compared to other professionals. First, insurance agents often deal with sensitive client information. This includes things like Social Security numbers, credit card information, and medical records. If this information falls into the wrong hands, it could be used for identity theft or fraud. Agents may be targeted specifically by hackers because of the type of information to which they have access.
Another reason why insurance agents may be more vulnerable to cyber security threats is because they often work with clients remotely. This means that they may not have the same level of security as someone who works in an office. If working from home, some agents may lack access to the same type of firewalls
and antivirus software that could be in place in a brick-and-mortar office, which can leave them open to attacks.
Finally, agents may be targeted by hackers to disrupt the operation of their parent insurance company and demand large ransoms. A breach in your system could open the door to hackers accessing data or systems of the insurance companies with which you do business.
Protect yourself and your clients
There are a few additional steps that insurance agents can take to protect themselves from cyber security threats. You also can recommend these steps to your clients.
Make sure that your systems are up to date with the latest security patches. You also should install and use antivirus and antimalware software. If you aren’t sure how to approach this task, consult your IT department or your managed service provider.
Insurance agents also should be careful about the type of information they share online. You should avoid sharing sensitive client information or company information on social media or in emails. If you do need to share this type of information, encrypt it before sending it.
Proper storage and transmission of information is imperative. If clients need to send sensitive information to insurance agents, they should encrypt it before sending it. This can help to protect the information from being intercepted by hackers. Customers also can use a secure file sharing service to send files to insurance agents. Typically, this type of service will encrypt the files before they are sent.
Insurance agents should store customer information in a secure database. They also should encrypt this information to help protect it from being accessed by unauthorized individuals. Insurance agents should have a process in place for regularly backing up this information. This will help to ensure that it can be recovered if it is lost or corrupted.
Finally, insurance agents should consider investing in cyber insurance. This type of insurance can help to cover the costs of damages that occur because of a cyberattack. It can help to cover the costs of recovery if sensitive client information is stolen. You might recommend cyber security insurance to your clients, and, in some cases, you may be able to sell it to them as part of their insurance portfolio with you.
Cyber security insurance is a growing industry as the pace of breaches increases rapidly and the cost of those attacks continues to snowball. In fact, by 2025 the global cyber insurance market is expected to be $20 billion. Insurance clients opting for this coverage4 rose from 26% in 2016 to 47% in 2020. This could be due in part to the fact that the costs of cyberattacks nearly doubled between 2016 and 2019 in the United States.
To have cyber insurance coverage, note that you will have to abide by certain rules. Insurance companies expect their customers to have safeguards in place like strong firewalls and encryption protocols, multi-factor authentication, software update schedules, regular assessment and repair of vulnerabilities,
PIA.ORG 21
best-practice handling and storage of sensitive data, and secure financial transactions.
This is another reason to encourage your clients to follow cyber best practices: They likely won’t be eligible for cyber insurance coverage if they do not. Though today cyber security insurance is just a suggestion, in the future, it could become a standard part of a business insurance policy. Protecting your digital assets and your reputation, plus reducing your liability, are enough reason to tighten up your cyber security strategy. However, getting ahead of the curve for when cyber security insurance becomes a necessary standard is a strong reason, too.
Cybersecurity is an important issue for insurance agents and their clients. By taking steps to protect themselves from cyber security threats, they can help to keep their clients’ information safe as well.
Phillips is a skilled cyber security manager with years of experience helping organizations simplify the complexities of cybersecurity. He is passionate about developing actionable strategies that demystify the inherent intricacies of technology for organizations located across the country. He is a channel manager with Cyberstone Security—a niche cyber security consulting firm that helps organizations develop and enhance their information security programs, reduce risk, and achieve compliance with state and federal information security regulations, through services such as vulnerability assessments and penetration testing.
1 Upguard, 2022 (bit.ly/3j0LVoc)
2 McAfee, 2022 (bit.ly/3Fntwtg)
3 CNET, 2022 (cnet.co/3BBLvv0)
4 GAO, 2022 (bit.ly/3j3I2Pt)
PROFESSIONAL INSURANCE AGENTS MAGAZINE 22 HARD ROCK CASINO HOTEL ATLANTIC CITY, NJ WWW. PIA.ORG | (800) 424-4244 ANNUAL CONFERENCE PIA New Jersey | PIA New York JUNE 4-6, 2023
We Have Deep Expertise in How Small to Medium Agencies Operate their businesses. AMS-Applied Epic – HawkSoft to name a few. We are the only IT Firm that can assure compliance with NYDFS 23 NYCRR500 Cybersecurity Regulation. We Answer Our Phones LIVE. 93-Seconds or less Response Time or your Money Back Guarantee. We do not OUTSOURCE any of our work. We include 24/7/365 support at no extra cost to all of your employees. Most Documented 5 Star GOOGLE Reviews in NY. www.motiva.net/insurance walter@motiva.net (646) 374-1820 The #1 Cybersecurity & IT Support Company for Insurance Agencies www.motiva.net/insurance walter@motiva.net (646) 374-1820 Our FREE and Confidential Cybersecurity Risk Assessment Will Give Your Agency the Answers You WANT, and the Third-Party Proof of Compliance You NEED for Filing. Call Walter Today at: 646-374-1820 NEW FOR 2023 IN ADDITION TO PRIOR REQUIREMENTS DEADLINE FAST APPROACHING APRIL 2023 IS YOUR AGENCY PREPARED TO COMPLY WITH THE NEW DFS CYBERSECURITY REQUIREMENTS FOR 2023? Cybersecurity Risk Assessment Multi-Factor Authentication Report all Cybersecurity Events to DFS
What is ANE’s Greatest Resource? Our Members! Gain intellectual capital from the highest caliber agents Increase your agency’s contingent and incentive revenue Simple contract model and minimal membership fees Business resources are hand-selected by our members Outperforming the industry Find Out What the ANE Advantage is Today 800.700.9643 information@ane-agents.com www.ane-agents.com
MICHAEL EVANS Founder, USPA Nationwide Security
Cyber security challenges and remote workers
Trends and best practices
According to our research, collaboration platforms used in the insurance industry have increased the likelihood of hackers targeting their users. Consequently, these organizations should focus on protecting their remote workforces from cyberattacks. This can be accomplished in several ways, including training remote employees and implementing cyber security policies.
A recent survey indicates that one-fourth of employees are concerned about cybersecurity when working from home. Many people receive spam and fraudulent emails because of phishing and scams. It is unfortunate that many of them do not take adequate precautions against these threats.
It is common for the insurance industry to utilize cloudbased software programs—including NowCerts, Jenesis, and Applied Epic Software—to exchange insurance information and data, administer insurance policies and benefits, track licenses and documents, manage commissions, manage tasks, manage claims, generate reports, and provide self-service certificates. When managed by experienced IT professionals in the workplace, the information usually is safe. However, it is when home-based workers access sensitive data, without the proper security
protocols in place, that there can be problems. This type of exposed information poses a formidable threat to the insurance industry as well as to the insured. Insurance agencies may be vulnerable to ransomware attacks if they have the slightest vulnerability, which usually results from a home-based login.
Although ransomware’s future cannot be predicted, there are several trends that will shape the threat landscape in the years to come. Soon, ransomware attacks are likely to increase dramatically. By utilizing this model, small-time cybercriminals can carry out ransomware attacks that can climb to large-scale operations.
Over the past three years, ransomware attack demands have increased by more than 100%. Part of the reason for this is the increasing success of ransomware attacks, as well as the fact that more companies are paying up to recover their data. For instance, health care organizations have experienced some of the highest demands since a disruption could result in the loss of lives. Both Telecom Argentina and Light SA reportedly have experienced ransoms of more than $14 million—and these demands are expected to continue to rise.
PIA.ORG 25
A cyberattack on Shoprite Group, a South African supermarket chain, also has occurred recently. The RansomHouse ransomware gang published screenshots of the stolen information on its Telegram channel and boasted of its attack on the company. The attack also affected other companies, including the American Dental Association and Deutsche Windtechnik.
Why this is such a big problem
There are several factors that contribute to these high-level attacks that may originate with employees who are working remotely.
Software programs used by workers operating from home may not be protected by firewalls. Home computers are increasingly being attacked by cybercriminals. Most home computers do not have a firewall, which makes them vulnerable to hackers. Hackers who discover such vulnerabilities wait for an opportunity to exploit them.
It is possible to pose a serious security risk with a poorly implemented remote access solution. It is inevitable that faulty configurations will arise from the deployment of remote infrastructure under time pressure. Cyberattacks and infringements are likely to increase dramatically as a result. Additionally, remote employees may not be as vigilant at protecting sensitive data as they may be when they are in the office (e.g., they may leave their computers unlocked or paper documents laying on their desks). Thus, unsecured devices usually are attacked within a short period of time.
There are many businesses that use remote-working methods to increase their efficiency, but the problems do not end there. It is common for employees to lack the necessary tools to protect their data—making them more susceptible to cyberattacks. Additionally, there is a risk that malware will be transmitted through email.
Hundreds of studies and millions of data points have been analyzed by the Alliance for Connected Work. Commuting costs are higher than those associated with working in a traditional office—despite employees’ willingness to accept pay cuts and reduced benefits when working from home. Despite the costs associated with virtual-work options, employers who offer this option report a higher quality candidate pool. Remote workers are being targeted by cybercriminals, resulting in a 238% increase in cyberattacks.
Risks associated with ransomware attacks in cloud computing. Cloud computing is at risk of ransomware attacks. In addition to encrypting files, these malicious programs can encrypt entire servers owned by cloud-service providers. All cloud users will be affected by this change. Fortunately, ransomware attacks can be mitigated. Installing next-generation antivirus that automatically updates your operating system is one option. It is possible to implement web filtering to block infected websites. IT professionals also can provide technical assistance. Implementation of a disaster recovery plan is another method of protecting your cloud data from ransomware attacks.
Using least-privilege access to your cloud resources is one of the most effective ways to minimize the risk of ransomware attacks. It will prevent fraudsters from gaining access to your system, and it will minimize the impact of shockwaves when they do gain access. The idea of replicating buckets is a smart idea,
since it creates a backup in the event that your original data is corrupted or stolen. However, it is worth noting that replicating buckets may be expensive and may increase the attack surface. To prevent your data from being compromised, it is essential to balance these considerations with best practices.
To prevent ransomware from damaging your data, it is essential to take steps to isolate systems as soon as they appear on your network. The most effective way to protect your data is to ensure it is secure on your endpoints and to sync it to the cloud. There are several cloud back-up solutions suitable for this purpose. Do your research to determine the best system for your agency’s needs.
Best practices
As you establish and fine turn your agency’s remote work policy and procedures, there are some best practices that you should keep in mind: You can protect your software, hardware, and data systems by hiring a cyber security firm. Even though these risks exist, most organizations have implemented cyber security measures for their homebased employees. Trends indicate that a good number of employees feel more productive at home. However, some employees feel that they have had decreased productivity since they started remote work. There are many advantages associated with working from home, but there also are some challenges, such as limited IT tools, privacy concerns, and interruptions to family life.
To avoid regulatory fines, risk management of systems, internal controls, expert analysis, and implementation are necessary. Managing cyber security risk is
PROFESSIONAL INSURANCE AGENTS MAGAZINE 26
an important responsibility for virtually every insurance agency. As the world becomes increasingly digital, cyber security issues are driving increased regulatory and legal pressure on companies.
Likely changes in the future
With the growing importance of cyber risk management, the Securities and Exchange Commission has issued several recent proposals. These proposals focus on improving the disclosures of public companies about cybersecurity. They are designed to make information about cyber risk more consistent and to address some of the significant issues that public companies have had to deal with. The SEC is proposing new rules that would require public companies to disclose cyber security incidents in a more timely fashion. These rules also would require public companies to disclose details about their cyber security strategy and risk management policies.
This proposal follows several SEC enforcement actions against public companies. The proposed rules would require public companies to disclose cyber security incidents in four business days. The SEC seeks to standardize cyber security disclosures, and believes that investors could benefit from this type of consistent disclosure.
It also is proposed that public companies disclose their board members’ cyber security experience. These requirements may encourage public companies to seek out directors with greater cyber security knowledge. However, some corporate governance professionals have suggested
that highlighting board members’ cyber security expertise could increase the risk of shareholder litigation.
Evans is the founder of USPA Nationwide Security, a protective firm operating on six continents providing close protection, fire watch and cybersecurity. After retiring in 2021, He began collaborating with USPA’s research and development team, developing its cybersecurity section (bit.ly/3uLo3Ym) as well as its autonomous drones and artificial intelligence training division.
The PIA Retirement Plan gives clients lower prices, extensive services, and less responsibility. With PIA Retirement Plan and TAG Resources you can stay on top of your business, knowing that the day-to-day responsibilities of your 401(k) plan are being looked after.
PIA.ORG 27
www.tagcobrand.com/pia Learn more: Every Successful Company,
No Matter The Size, Should Offer A 401(k) Plan
New PIA Northeast Member Benefit
Call (800) 424-4244, ext. 408 | Web www.pia.org Why PIA is the Best Choice for E&O • Our professional liability and cyber liability programs are designed for your agency’s needs and risk exposures • Critical coverage options—especially important when many agents are working remotely • Top-rated, stable E&O carriers • Experience & expertise from our team PIA is here to help you navigate through uncertain times, so let’s make sure you have great errors-and-omissions coverage at a competitive price. We’ll Navigate Your E&O Coverage You Focus on Business Scan to learn more and get a quote.
WE PICTURE THE WORST FOR YOU. WHOLESALE BROKERAGE | BINDING AUTHORITY | EXCLUSIVE PROGRAMS JencapGroup.com
Managed Services Cyber Security Unified Communications
Social engineering risk mitigation for cyber loss
You may be familiar with the concepts of social engineering and creating a human firewall in the context of information security. For those who don’t know, social engineering is defined as the use of deception to manipulate individuals into performing actions or divulging confidential or personal information that may be used for fraudulent purposes. A human firewall refers to the awareness level that all users must have to ensure that they provide an effective layer of security.
Employee behavior can have a big impact on information security for organizations. If those with legitimate access to your network can be manipulated into revealing their passwords or allowing unauthorized people to use their computers, all your information security tools may be worthless. What follows are some pre-loss, risk management ideas to help prevent unauthorized intrusions into your agency systems.
Reduce the likelihood of social engineering fraud
Many social engineers do not even possess a high level of technical skill. It is their people skills—their charm, trickery or intimidation— that get them where they are not supposed to be by convincing legitimate employees to disclose information that compromises the security of data, computer systems and
Event Highlights:
PIA.ORG 31
E&O UTICA NATIONAL INSURANCE GROUP
Contact PIA for sponsor, exhibitor, and advertising opportunities: conferences@pia.org or www.pia.org
Meet with insurance professionals to exchange ideas and contacts Attend salient education sessions and earn CE credit See new insurance products and services at the trade show
networks. To prevent this, remember that the human firewall’s best weapon is common sense. How you can help:
• Provide security awareness training to ensure all staff members are aware of potential threats and can recognize social engineering attempts.
• Use strong passwords or passphrases and implement multi-factor authentication wherever possible.
• Dispose of nonpublic information properly by shredding it and do not leave nonpublic information unattended.
• Develop an incident response plan and test it periodically to ensure everyone knows how to respond to incidents and report them immediately to minimize any potential damage.
• Ensure you have a comprehensive set of information security policies and methods to ensure that everyone is following them consistently.
Key elements in security policies to mitigate social engineering risks include the following:
• Possess strong password policies (e.g., no generic accounts, all activity must be able to be traced to an individual, no sharing of accounts, penalties for violations, etc.).
• Data classification should clearly outline the information that is considered nonpublic (i.e., personally identifiable information, private information, protected health information, etc.).
• Build in device and software controls to regulate what users can and cannot do or install on their equipment and restrictions that they are used for work purposes only. Do not mix business with pleasure.
• Install antimalware to ensure that a comprehensive solution is implemented to detect and block any malicious activity.
• Implement access controls for periodic (at least bi-annually) review of access to all systems. Keep evidence of the review and approval of the current access list by a senior manager.
• Monitor the actions of employees to validate that tasks performed are for work purposes and to detect abnormal activity.
• Employ data loss prevention tools to detect exfiltration of nonpublic information from your systems.
• Focus on physical security to ensure only authorized personnel have access to areas containing nonpublic information.
• Require that computers be locked by users when they are left unattended. Do not rely on systematic locking mechanisms.
• Execute a risk assessment at least annually to evaluate the effectiveness of security controls and to understand any gaps.
• Perform a cybersecurity-focused risk assessment for all third-party service providers at least annually to ensure they also have implemented effective information security procedures.
To prevent a possible social engineering incident, employees should think about or ask themselves to stop and think:
• Did you request this information?
• Are you expecting this request?
• Do you know the person requesting this information or asking you to act?
• Are you the right person to provide this information?
• Is there a specific business reason you would be asked for this information?
• Are you being asked for personal information?
• Does the request seem overly urgent or rely on your goodwill and genuine desire to be helpful to others?
There are instances when it is better to not be curious. Don’t open an attachment because it looks enticing or promises a benefit to you. Just delete it. Likewise:
• Never divulge personal information via phone or unsecured websites.
• Never click on links, download files, or open attachments from unknown senders.
• Be particularly aware of phone vishing as this tactic is becoming more popular.
• Beware of pop-ups and never enter personal information in one.
Remember, if it sounds too good to be true, it probably is. Nothing is free in the cyberworld. If you sign up for a free coupon, free newsletter, social-media site, realize that all your information is being used and sold in the cyberworld.
Your most important asset is your people. That also is true when it comes to cybersecurity in your agency. Educate them. Train them. Remind them to use their common sense. If it sounds phishy—it probably is.
PROFESSIONAL INSURANCE AGENTS MAGAZINE 32
Social engineering terms to know
Phishing: An email, instant message, comment, or text message that appears to come from a legitimate company, bank, school, or other institution, typically sent to several users.
Spear phishing: A phishing attempt that is targeted to a specific user or group. Vishing or voice phishing: The use of a phone (cell or landline) to attempt to gather personal or financial information from the target.
Smishing: A text message to a cell phone to get the user to click on a link or reply by texting a random phone number or truncated number (e.g., 44567).
Pretexting: An attacker pretends to legitimately need personal or financial data to confirm the identity of the recipient.
Baiting: A pop-up or download request meant to get your attention to trick you into clicking on it. Some examples may be a free popular movie, song, item to purchase, free item, or monetary incentive. The victim is prompted to log in, which typically grants remote access to the hacker or opens access to your computer that the hacker will use later.
Scareware: Tricking the victim into thinking the computer is infected with malware or that he or she has inadvertently downloaded illegal or malicious content. The attacker offers to help the victim fix the computer when the victim grants access to it.
Rogue: Malware that poses as security software to trick the victim into paying for the fake removal of malware.
Water holing: When an attacker attempts to compromise a specific group of people by infecting websites the group is known to visit to gain network access.
Diversion theft: When attackers try to trick a delivery company into going to the wrong location and try to intercept the delivery.
Tailgating: When someone attempts to slip into a building behind a user, who has a valid area-entry badge.
Quid pro quo: When an attacker pretends to provide something in exchange for the target information or assistance. A hacker may call a selection of random numbers within an organization and pretend to be calling back from a legitimate tech support group.
Honey trap: When an attacker pretends to be a desirable person to interact with online or a person trying to establish a fake online relationship intended to gather sensitive information through that relationship.
Utica National Insurance Group and Utica National are trade names for Utica Mutual Insurance Company, its affiliates and subsidiaries. Home Office: New Hartford, NY 13413. This information is provided solely as an insurance risk management tool. Utica Mutual Insurance Company and the other member insurance companies of the Utica National Insurance Group (“Utica National”) are not providing legal advice, or any other professional services. Utica National shall have no liability to any person or entity with respect to any loss or damages alleged to have been caused, directly or indirectly, by the use of the information provided. You are encouraged to consult an attorney or other professional for advice on these issues. © 2023 Utica Mutual Insurance Company
PIA.ORG 33 To access, visit “Tools and Resources” at pia.org Hiring made easy Let PIA help with your staffing needs! We’ve created the Agency Staffing Assistance Program— an online member service that helps you find and keep good employees. 116225 919
These are the Workers’ Comp Markets You’re Looking for! 2270-D-2022 Market Access Only With Your PIA Membership (800) 424-4244, ext. 318 | memberservices@pia.org | https://bit.ly/3Rpe5oc Provided in partnership with Agency Resources Scan to Get Started Hundreds of class codes A low-minimum premium Quick turnaround Simplified submission process Trusted carriers Competitive commissions Exclusive Features for PIA Members Painting Plumbing Restaurants Retail And, more … Auto Body Cabinet/Floor Installation Electrical Grocery/Deli/Supermarkets Landscapers Masonry Program Appetite Guide
Have a question? Ask PIA at resourcecenter@pia.org
Cybersecurity, bike accidents and more
Cyber security regulation–limited exemption; must-comply sections
Q. What is the limited exemption in New York state’s cyber security regulation? With what sections must my agency comply?
A. The limited exemption applies to covered entities with:
1. fewer than 10 employees (part-time or full-time), including any independent contractors, of the covered entity or its affiliates located in New York state or responsible for business of the covered entity, or
2. less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the covered entity and its affiliates, or
3. less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates.
Entities that qualify for this limited exemption are exempt from some of the requirements of this regulation (Sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16 of this part).
All entities must comply with Sections 500.02, 500.03, 500.07, 500.09, 500.11, 500.13 and 500.17.—Bradford
J. Lachut, Esq.
Cyber security regulation–MFA
Q. Are all third-party service providers required to implement multifactor authentication and encryption when dealing with a covered entity?
A. New York Regulation 23 NYCRR 500.11, among other things, generally requires a covered entity to develop and implement written policies and procedures designed to ensure the security of the covered entity’s information systems and nonpublic information that are accessible to, or held by, thirdparty service providers.
The regulation (500.11(b)) requires a covered entity to include in those policies and procedures guidelines, as applicable, addressing certain enumerated issues. Accordingly, 23 NYCRR 500.11(b) requires covered entities to make a risk assessment regarding the appropriate controls for third-party service providers based on the individual facts and circumstances presented and does not create a one-size-fits-all solution.
Thus, a third party could be required to implement multi-factor authentication should the covered entity to whom they are a third party require it.
—Bradford J. Lachut, Esq.
Multi-factor authentication
Q. What is multi-factor authentication and why is it important?
A. Multi-factor authentication is a method of authenticating users on an information system by requiring them to go through multiple steps to access that information system. Commonly, this is accomplished through a combination of a username and password, followed by a requirement for users to prove their identity again through a notification sent to their mobile device or by inputting an additional code.
MFA often is the first and best defense against a cyberattack. Microsoft estimated that 99.9% of cyberattacks can be blocked by MFA. Here are some best practices:
Update outdated systems. Outdated systems—referred to as legacy systems—often do not support MFA. To prevent issues, businesses should update any outdated systems. Updates should be implemented with direct oversight and with a plan in place that will eliminate security gaps. Avoid self-setup updates that
PIA.ORG 35 ASK PIA
PIA TECHNICAL STAFF
require each individual user to set up MFA credentials. In addition, a proper inventory of information technology assets should be kept to ensure legacy systems are not still online.
Use MFA for all applications. MFAs should be utilized for all applications that permit a user to access a business’s information system. For example, a business may utilize a Virtual Private Network service that requires the use of MFA, but only requires single-factor authentication for an email application. Once again, use of an inventory of information technology assets will help a business. A business should review its inventory routinely to ensure all relevant applications require MFA.
Third-party users. It is not only a business’s employees who may have access to a business’s information system. Third parties, such as payroll or human resources companies, also may have access. MFAs should be required for all users who have access to a business information system, including any third party.
No exceptions. Use of MFA must be uniform to be effective. A business should not allow exceptions to the requirements of MFA. Testing. Once a business has implemented a complete and effective MFA process, it should test it. Routinely testing and validating the effectiveness of MFA implementation is critical to protecting a business’s information system. MFA testing should be incorporated into IT audits, penetration tests and vulnerability scans of a business’s larger information system.—Bradford
J. Lachut, Esq.
Coverage for bike accidents
Q. My insured’s car was hit and damaged by a bicyclist. To which policy— household auto or homeowners—should my insured look to recover for the damage caused by the bicyclist’s negligence?
A. The bicyclist’s homeowners policy. The personal auto policy insures autos and trailers for property damage liability, but excludes vehicles having less than four wheels (e.g., a motorcycle or bicycle).
The homeowners policy only excludes the operation of “motorized” vehicles, so coverage will apply to the use of a bicycle.—Dan Corbin, CPCU, CIC, LUTC
Loss of use after power outage
Q. If an insured homeowner loses power for a period of time— say two weeks—can he or she claim additional living expenses even though no property on the premises was damaged by the windstorm?
A. Unfortunately, there is no coverage under the ISO Homeowners Policy for additional living expenses unless damage has occurred on the property.
To trigger coverage for loss of power, the damage to utilities or equipment delivering that power would need to occur on the “residence premises.”
—Dan Corbin, CPCU, CIC, LUTC
Flood-damaged personal auto
Q. My client’s car was damaged in a hurricane. Specifically, it was caught in a flood and was inundated with water. What should she expect for insurance coverage?
A. This loss is covered if your client has “Other than Collision” (comprehensive) coverage on her personal auto policy.
Design+Print
PART D–Coverage For Damage To
Your Auto states that “Loss caused by the following is considered other than ‘collision’: ... 6. Hail, water or flood ” [emphasis added].—Dan Corbin, CPCU, CIC, LUTC
PROFESSIONAL INSURANCE AGENTS MAGAZINE 36
(800) 424-4244 | design.print@pia.org | pia.org/design&print
PIA Design & Print offers a one-of-a-kind relationship between you, your brand, and our diligent, creative and unique team of hardworking professionals whose top priority is building your business.
You are important to us—let us show you!
Group 534: Almost all construction classes eligible
Group 533: Woodworkers, lumberyard, and building material dealers
Group 501: Plumbing, heating, cooling, and steamfitting contractors
Maximum up-front discount for qualified members
50% of the service fee paid to brokers for the first three policy terms!*
Unbroken string of dividends since group’s inception!
Group members are not another policyholder! At Hamond, our staff averages over 40 years of workers’ compensation experience! Knowing your client’s business and exposure Assisting with payroll audits Attendance at audits upon request Assisting employers with claim filing Working with the carrier to assure proper claim handling Hearing and testimony support including pre‑hearing interviews with witnesses Assisting with underwriting and billing issues Assisting with OSHA issues and training Safety audits and risk management Development of safety programs, both corporate and site-specific Development of COVID 19 workplace
programs Hamond Safety Management included service checklist Excellence Direct quote requests to: (800) 285-2258 • Fax: (516) 488-2167 info@hamondgroup.com • hamondgroup.com
compliance
Underwritten by New York Insurance Fund *Service fee on subsequent renewals and on our returning members at our usual 20%.
Real Dividends! $317 Million Paid
“Friedlander’s willingness to help and vast knowledge of Workers’ Compensation is second to none. They go above and beyond to help our clients which makes my agency shine. Thank you Friedlander Group for not only making our agency happy…but our clients too!”
Walter A. Sierra President
W. A. Sierra Insurance Agency
5 Fairlawn Drive, Suite 302 Washingtonville, Ny 10992
Safety Group #551*
Restaurants
Restaurant Group of NY, Workers’ Comp. Safety Group #556*
Hotels
Hotel Group of NY, Workers’ Comp. Safety Group #578*
25%*
30%*
average dividend since inception in 1993
Oil
Oil Dealer Group of NY, Workers’ Comp. Safety Group #582*
2020-21 35%**
2019-20 35%*
2018-19 30%*
20% Average dividend since inception in 2010
Social Services
Social and Health Services Group of NY, Workers’ Comp. Safety Group #585*
2020-21 35%**
2019-20 25%*
2018-19 20%*
19% average dividend since inception in 2011
Residential Care
Residential Care Group of NY, Workers’ Comp. Safety Group #586*
2021-22 35%**
2020-21 30%**
2019-20 25%*
16% average dividend since inception in 2012
2023 Bonus 50% of fees for first two policy periods Wholesale 4310 Greeting Card Dealer 7390 Beer/Ale Dealer 7999 Hardware Store 8018 Wholesale Store/NOC 8021 Meat, Fish Dealer-Wholesale 8032 Dry Goods, Clothing, Shoe 8047 Drug Store 8048 Fruit & Vegetables 8111 Plumbers Supplies Dealer-Wholesale Restaurant 9061 Clubs 9071 Full Service Restaurants 9072 Fast Food Restaurants– Including Drivers 9074 Bars & Taverns Social and Health Services 8854 Home Health Care – Prof. Employees 9051 Home Health Care – Non Prof. Employees 8857 Counseling – Social Work – Traveling Oil and Gas Dealer 5193 Oil Burner Installation 8350 Fuel Oil & Gas Dealer 8353 Gas Dealers, LPG & Drivers Retail 2003 Bakeries 7998 Hardware Store 8001 Florist Store 8006 Food/Fruit/Deli/Grocery 8008 Clothing/Shoe/Dry Goods 8013 Jewelry Store 8016 Quick Printing 8017 Retail (Not Classified) 8031 Meat/Fish/Poultry Store 8033 Supermarkets 8039 Department Store 8043 Retail (including Food) 8044 Furniture Store 8046 Auto Accessories 8072 Book/Music Store 8105 Leather Store 8382 Self serve gas w/conv. store Residential Care Facilities 8864 Developmental Organizations 8865 Residential Care Facility 9063 Senior Citizen Centers Hotel/Motel 9052 Hotels NOC 9058 Restaurants in Hotels *Underwritten by the State Insurance Fund Ask about low DBL rates exclusive to safety group members, underwritten by ShelterPoint Life Insurance Company, Great Neck NY Call Cosmo Preiato at (800)394-7004 ext. 203 Fax: (914)694-6004 e-mail: cosmop@friedlandergroup.com 2500 Westchester Avenue, Suite 400A Purchase, New York 10577 www.friedlandergroup.com Safety and Workers’ Compensation Strategies To Unleash Productivity and Profits Featuring insightful interviews with experts, including Paul O’Neill, the 72nd Secretary of the U.S. Treasury by Adam Friedlander, now on Amazon https://safetyandworkerscomp.com/ Up to 45% savings upfront with up to 35% advance discounts and NYS Assessment deferrals until dividends for first two periods.
paid to
Brokers Online Video: www.friedlandergroup.com Retailers Retail Group of NY, Workers’ Comp. Safety Group #544* 2021-22 40%** 2020-21 40%** 2019-20 40%* 36% average dividend since inception in 1992 Wholesalers Wholesale Group of NY, Workers’ Comp.
2020-21
2019-20
2018-19 27.5%** 31%
dividend
Fees
560
35%**
27.5%**
average
since inception in 1993
2018-19
36%
2020-21 40%** 2019-20 35%*
35%*
2019-20
2018-19
20%
2020-21 35%**
average dividend since inception in 2006
Dealers
*5% applied to increase the renewal advance discount. **10% applied to increase the renewal advance discount.
The Workers’ Compensation Leader
Learn how to: Ask the right questions to identify exposures Tailor an insurance & risk management program to meet clients’ needs
exposures created by:
activities
ownership or use of recreational vehicles and watercraft Explore: Coverage exclusions and limitations in the most current ISO Homeowners 3–Special Form The ISO Personal Auto Policy Additional coverage through Personal Umbrella Liability and Catastrophe
RisksEmerging for Personal Lines Clients Upcoming CISR Webinars from PIA: 3/14/23 – CISR PA (Personal Auto) 3/22/23 – CISR IP (Commercial Property) 4/18/23 – CISR ELR (Elements of Risk Management) More Info and Registration: https://bit.ly/3VfDBOW *NY Residents: New topic/new approval number. This class provides you with another option to earn CE and keep your designation updated. FORMAT Instructor-led online webinar DURATION 7 hours CE CREDIT Approved in Connecticut, New Jersey and New York* OPTIONAL FINAL EXAM WINDOW Feb. 16-23, 2023 CISR OPLS (Other Personal Lines Solutions) DATE Thursday, Feb. 16, 2023 16 New CISR course!
Address
–Business
–The
Uncover
TECHNOLOGY INFO CENTRAL
Technology/automation resources
Features:
● Access to a featured technology consultant, including his expertise and contact information.
● Article synopses and resources, with links to in‑depth information.
● Consumer content for your website. (PIA Design & Print can personalize content for a nominal fee.)
● The latest information on the industry’s real‑time initiatives.
● Searchable database of vendors that offer technology/automation services.
• Agents interview clients and prospects on site.
• Agency personnel input data directly into saved sharable forms.
• Customizes clients’ records with specific needs and helps with cross-selling.
• Offers agents errors and omissions protections as content isn’t transferred across multiple forms manually.
eForms Wizard signup or upgrade: avyst.com/partnerships/pianortheast
Log on to www.pia.org/IRC/tech
117091 920
eForms Wizard Bronze Level included
PIANY 2022-2023 Board of Directors
OFFICERS
President
David L. Sidle, CIC, CPIA
David L. Sidle Agency Inc.
219 S. Catherine St. P.O. Box 802 Montour Falls, NY 14865-0802 (607) 535-6501 david@sidleinsurance.com
President-elect
Gary Slavin, CIC, CLTC MassMutual
63 Sunset Road Massapequa, NY 11758-7541 (516) 873-4515 gslavin@financialguide.com
First Vice President
Richard Andrews, LUTCF Andrews Agency Inc.
804 W. State St. Ithaca, NY 14850-3312 (607) 273-7551 rich@andrewsagencyinsurance.com
Vice President
Jason E. Bartow, AAI, CPIA Bartow Insurance Agency & Jebb Brokerage Inc.
62 South Second St., Ste. C Deer Park, NY 11729-4716 (631) 242-4745 jason@bartowinsurance.com
Treasurer
Michael A. Loguercio Jr. Atlantic Agency 619 Roanoke Ave. Riverhead, NY 11901-2727 (631) 244-7784 michael.loguercio@loguercioinsurance.com
Secretary
Raymond J. Gillis Sr., FIC, FICF Fire Mark Insurance Agency Inc.
826 E. Main St. P.O. Box 39 Cobleskill, NY 12043-0039 (518) 234-2534 ray@firemarkins.com
Immediate Past President Tim Dean, CIC, CRM Marshall & Sterling Inc. 110 Main St., Ste. 4 Poughkeepsie, NY 12601-3080 (845) 454-0800 tdean@marshallsterling.com
NATIONAL DIRECTOR
Richard A. Savino, CIC, CPIA Broadfield Group LLC
68 Main St. Warwick, NY 10990-1329 (845) 986-2211 richs@broad fieldinsurance.com
DIRECTORS
Peter Buccinna XS Brokers
13 Temple St., Fl. 1 Quincy, MA 02169-5110 (518) 567-5645 pbuccinna@xsbrokers.com
Eric Cohen Benefit Quest Inc./Eric Cohen Insurance
420 Lexington Ave., Room 2400 New York, NY 10170-2499 (212) 389-7838 eric.cohen@benefitquest.com
Justin Fries, CIC, CPCU, CPIA Garber Atlas Fries & Associates Inc.
3070 Lawson Blvd. Oceanside, NY 11572-2711 (516) 837-1100 jfries@gafinsurance.com
Jorge Hernandez North Franklin Brokerage Inc.
13 N. Franklin St. Hempstead, NY 11550-3810 (516) 564-5656 jorge@nfbinsurance.com
David Lande, JD, CIC ALSR Agency Inc.
63 Prospect Ave., Apt. 18A Hewlett, NY 11557-1648 (516) 860-7477 david.lande@epicbrokers.com
Jon Lipton, CIC Castle Rock Capacity LLC
1 Blue Hill Plaza, Fl. 12 Pearl River, NY 10965-3104 (212) 360-2334 jlipton@castlerockagency.com
Leslie C. Rogoff Madison Avenue Brokerage Corp. 90 Broad St., Suite 1503 New York, NY 10004-2261 (646) 459-2495 leslie@madisonavenuebrokerage.com
Richard Signorelli AZBY Brokerage Inc. 1751 Crosby Ave. Bronx, NY 10461-4939 (718) 828-4505 richard.signorelli@azbybrokerage.com
PIANY-YIP REPRESENTATIVE
Scott Richards Hilltop Strategies 65 Lewis Court Huntington Station, NY 11746-1112 (516) 659-2352 scott.s.w.richards@gmail.com
ACTIVE PAST PRESIDENTS
Jamie A. Ferris, CIC, AAI, CPIA P.W. Wood & Son Inc. 2333 N. Triphammer Road, Ste. 501 Ithaca, NY 14850-1083 (607) 266-3303 jamie@thewoodoffice.com
Lynne R. Frank, CPCU 12 Turnberry Ct. Williamsville, NY 14221-8206 (716) 562-3256 lfrank802@gmail.com
Jeffrey H. Greenfield NGL Group LLC 112 Merrick Road P.O. Box 847 Lynbrook, NY 11563-0847 (516) 599-1100 jeffg@nglgroup.com
Fred Holender, CLU, CPCU, ChFC, MSFS Lawley, LLC 361 Delaware Ave. Buffalo, NY 14202-1622 (716) 849-8257 fholender@lawleyinsurance.com
Erik Nicolaysen III, CPCU Nicolaysen Agency Inc. 77 S. Greeley Ave. P.O. Box 108 Chappaqua, NY 10514-0108 (914) 238-4455 erik@nicolaysenagency.com
John C. Parsons II, CIC, AAI. CPIA Parsons & Associates Inc. 440 S. Warren St., Ste. 704 Syracuse, NY 13202-2656 (315) 472-5420 JCP2.PIANY@parsonsinsurance.com
Alan M. Plafker, CPIA 3070 Lawson Blvd. Oceanside, NY 11572-2711 (516) 837-1150 aplafker@ga fi nsurance.com
Gene L. Sandy, CIC Millennium Alliance Group 534 Broadhollow Road, Ste. 103 Melville, NY 11747-3673 (516) 496-8004 sandy@mag-insurance.com
Michael J. Skeele, CIC, CPIA Skeele Agency Inc. 1715 Albany St. P.O. Box 459 DeRuyter, NY 13052-0459 (315) 852-6180 mikeskeele@skeele.com
John Tomassi, CPCU Open Coast Surety Agency LLC 140 W. 31st St. New York, NY 10001-3411 (212) 686-1515 johnrtomassi@gmail.com
J. Carlos “Shawn” Viaña
7 Bridle Court
Latham, NY 12110-4948 (518) 785-1173
sviana@marshallsterling.com
COMMITTEE VOLUNTEERS
Dina Bruno, CPIA
Franklin Mutual Insurance Branchville, NJ
Paul G. Casciaro, CIC, CSRM, CPIA
Frank H. Reis Inc. Kingston, NY
Ed Chadwick
Jencap Specialty Insurance Services Buffalo, NY
Eric T. Clauss
E.T. Clauss & Co. Inc. Buffalo, NY
Matthew Davoult
Bank Direct Capital Finance Corp. Garden City, NY
Jennifer P. DeCristofaro
Lancer Management Co. Inc. Long Beach, NY
Marshall Glass
Iroquois Group Allegany, NY
Jeff Leibowitz Atlantic Agency Inc.
North Babylon, NY
Michael N. Plafker, CIC, CPIA Oceanside, NY
Bruce D. Rowledge Rowledge & Falvo Insurance
Scotia, NY
Frances A. Scott
F.A. Scott Insurance Agency Goshen, NY
Robert Shapiro Global Facilities Inc. Lynbrook, NY
Steven Sternberg
Bank Direct Capital Finance Corp. Garden City, NY
PIA.ORG 41
DIRECTORY
PROFESSIONAL INSURANCE AGENTS MAGAZINE 42 DIRECTORY Readers’ service and advertising index Name Agency Address City/town State ZIP Phone Check advertisers of interest, complete form and mail to: PIANY • 25 Chamberlain St. P.O. Box 997 • Glenmont, NY 12077-0997. Or, fax (888) 225-6935.
2 Lovell Agency Management Co.
29 JENCAP
23 Motiva
17 Omaha National
27 PIA 401(k)
33 PIA ASAP
36 PIA Design & Print
28, 42 PIA E&O Insurance
39 PIA Education
7, 8 2Secure
24 Agency Network Exchange
11 Agricultural Insurance Management Services
BC Applied Underwriters
43 Berkshire Hathaway/Guard Insurance Companies
12 Brooks Insurance Agency
38 Friedlander
37 Hamond Safety Management
9 Lancer Insurance
14 PIA Email
16 PIA Members’ Choice Options
34 PIA NumberONE Comp Program
40 PIA Tech Info Central
22 PIANJ/NY Conference
31 PIANY Long Island RAP
15 The Premins Company
30 TAG Solutions Your E&O Quote is Waiting (800) 424 -4244, ext. 408 quote@pia.org www.pia.org PIA is here to help you navigate through uncertain times, so let’s make sure you have great errors-and-omissions coverage at a competitive price. When You Need Reliable Agency E&O Coverage, Count on Us
APPLY TO BE AN AGENT: WWW.GUARD.COM/APPLY/ Our Workers’ Compensation policy is available nationwide except in monopolistic states: ND, OH, WA, and WY. Workers’ Compensation
distinguish our Workers’ Compensation coverage by providing value-added services before, during, and after a claim.
loss control measures
claims handling
of quality medical care (when an accident does occur)
been successfully protecting our policyholders and their employees since 1983.
all of our products at www.guard.com.
We
Upfront
Responsive
Facilitation
We’ve
Browse
Workers’ Compensation • Transportation – Liability & Physical Damage • Fine Art & Collections • Structured Insurance Construction – Including New York and Project-Based Primary & Excess Liability • Financial Lines • Aviation & Space Homeowners – Including California Wildfire & Gulf Region Hurricane • Environmental & Pollution Liability • Public Entity Shared & Layered Property • Warranty & Contractual Liability • Reinsurance • Infrastructure • Surety • Entertainment & Sports ...And More To Come. MORE TO LOVE FROM APPLIED.® MORE IMAGINATION. ©2023 Applied Underwriters, Inc. Rated A (Excellent) by AM Best. Insurance plans protected U.S. Patent No. 7,908,157. It Pays To Get A Quote From Applied.® Learn more at auw.com/MoreToLove or call sales (877) 234-4450