2222222222

Sponsored: Great American Insurance Group

Main Street America: A Vulnerable Target for Cyber Attack

Stop your small business from being the next victim by working with an insurer who can offer tailored solutions to fit your needs.
By: | May 23, 2018 • 6 min read

Cyber risk affects everyone. There’s not a business small or simple enough to escape its reach. If you handle personally identifiable information on behalf of employees or customers, use a computer to conduct business, or work with a vendor that does, your company is exposed.

Small businesses that make up Main Street America, however, continually underestimate their risk. These are the local food markets, ice cream shops and hardware stores; independent legal and consulting firms; preschools and small nonprofits that underpin community economies.

Sixty-one percent of businesses in this sector suffered a cyber attack in 2017, yet only 25 percent had sufficient cyber insurance coverage, according to Ponemon Institute’s “2017 State of Cyber Security in Small & Medium-Sized Businesses.” Even fewer – 22 percent – were taking steps to protect themselves by encrypting private employee and customer data.

Addressing the coverage gap requires two steps. First, small business owners need to better understand the type and extent of their cyber exposure. Second, their insurer and broker partners need to proactively educate this sector about the risk transfer solutions available to them.

The Many Forms of Cyber Risk

Betty Shepherd, Divisional Senior Vice President

“Cyber risk refers to the financial consequences a business has in the face of a network security breach or a breach of private information in their care, custody or control,” said Betty Shepherd, Divisional Senior Vice President, Great American Insurance Group.

“This risk can manifest itself in several forms, but the majority comes down to data. It’s important to analyze how data flows through your organization to determine your exposure.”

A network security breach can include anyone gaining unauthorized access to a company’s systems and/or data. A network breach may or may not result in a privacy beach, in which an unauthorized person gains access to personal identifiable information (PII) like credit card numbers, Social Security numbers, addresses or other sensitive data. A network breach can cause business interruption, data loss or even an extortion event.

Possible theft of PII triggers a host of extra expenses. All 50 states now require businesses to report cyber breaches involving PII to affected individuals as well as regulators. An organization may need to conduct forensic investigation to determine what — if anything— was accessed or stolen. Affected companies may also offer ongoing credit monitoring services to affected customers if financial information was divulged.

“In states with notification requirements, data owners are legally obligated to notify an individual if their private information has been breached or thought to be accessed in an unauthorized manner,” Shepherd said.

“Many small businesses believe this obligation falls to their third-party data processors, such as payment processors handling credit card data, or outsourced accounting functions administering payroll, for example. But that is not the case. Care of that data remains the responsibility of the business that collected it.”

Cyber extortion in the form of ransomware has grown increasingly common as a way for thieves to make off with small sums. Many companies would rather pay an affordable ransom and regain system access quickly than battle with an unknown assailant.

Denial of service attacks can cause financial harm via business interruption and lost income.

Third-party liability also enters the picture if the data belonging to a vendor or other business associate is unlawfully accessed, stolen or corrupted.

“An affected third party could file a claim against you if your network is determined to be the source of malware or the entry point for a cyber thief, thus enabling the compromise of the third party’s network,” Shepherd said.

Business owners should also keep in mind that paper trails are as important to safeguard as digital ones.

“People also tend to forget that cyber risk extends to paper files as well as electronic. Data is data,” Shepherd said. “Physical documents that contain sensitive information are still an exposure. Failing to properly store and/or dispose of that paper may open a company up to the same liability as if a computer system gets hacked.”

More often than not, carelessness on the part of employees — rather than a malicious hacker — is the cause of network security failure. Unwittingly clicking on a link or attachment within a phishing email, for example, can plant malware without any overt indication. Mobile devices used for work can be stolen or lost. Papers casually tossed in the trash are easy targets for theft.

“Understanding where cyber risk comes from is the first step of risk mitigation,” Shepherd said.

Developing a Risk Management Strategy

Once a business pinpoints where its exposure lies, it can take specific steps to strengthen vulnerabilities. Encrypting data renders it useless to a cyber thief. Storing sensitive documents in a locked cabinet and enforcing proper disposal protocols reduces the risk that they’ll fall into the wrong hands. Installing firewalls and dual-authentication processes can enhance network security.

But advancing technology and increasingly sophisticated hackers make it nearly impossible to build ironclad defenses against cyber risk. This is why adequate cyber insurance is critical in helping small companies stay up and running in the aftermath of a breach.

Parsing through the insurance options available, though, can be difficult even for large corporations with more cyber expertise. Lots of overlap exists among current products on the market. General liability, E&O and fidelity products may have some cyber component built in but may not offer all the coverages a company needs. Still, some small businesses can find it costly to purchase a standalone cyber policy.

“There are many policy variations, and there’s no single form on the market that will cover every cyber peril,” Shepherd said. “The appropriate solution depends on the nature of your exposure.”

A pizzeria, for example, can still make pies and accept cash payments if their point-of-sale system goes down, so its management team is less concerned about business interruption expenses. A manufacturer, on the other hand, may suffer a total lapse in operations if their industrial network is compromised. A consulting firm is likely to have staff working remotely and may need specific coverage for mobile devices more so than a clothing boutique. But the boutique will transact a larger volume of credit card data and may be more concerned with breach notification and remediation costs.

Expertise to Craft Custom Solutions

Insurers with expertise in cyber risk can offer the tailored solutions that small businesses need.

Great American offers a modular policy format with a menu of insuring agreements, including security breach liability and expenses, cyber extortion threats, funds transfer fraud, replacement or restoration of electronic data, and public relations expenses, among others.

“A Great American policy includes the third-party liability exposure inherent in many network security and privacy breaches as well as the first-party exposure like breach notification, investigation and credit monitoring expenses,” Shepherd said. “We also have separate coverage available for public relations services to help an organization mitigate reputational damage in the event they experience negative publicity following a breach.”

Great American policyholders also have access to a web portal offering informational resources like whitepapers, as well as breach calculators and referrals for security, forensic investigation and legal firms.

Great American has focused its cyber expertise on the needs of small- to medium-sized companies, underwriting businesses with up to $250 million in annual revenue.

“Every organization has a cyber risk exposure, but we’re not looking to underwrite everyone. We’re dedicated to the unique needs of small- and mid-size organizations,” Shepherd said. “We will continue to educate and serve this sector as the risk and exposures evolves.”

To learn more, visit https://www.greatamericaninsurancegroup.com/for-businesses/product-details/alternative-markets/cyber-risk.

Great American Insurance Group, 301 E. Fourth St., Cincinnati, OH 45202. Policies are underwritten by Great American Insurance Company, Great American Assurance Company, Great American Alliance Insurance Company, Great American Insurance Company of New York, Great American Security Insurance Company, and Great American Spirit Insurance Company, authorized insurers in all 50 states and the DC.

SponsoredContent

BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Great American Insurance Group. The editorial staff of Risk & Insurance had no role in its preparation.




Great American’s innovative insurance solutions and specialization serves niche marketplaces that we know well, giving us a successful foundation that spans generations.

Risk Focus: Workers' Comp

Do You Have Employees or Gig Workers?

The number of gig economy workers is growing in the U.S. But their classification as contractors leaves many without workers’ comp, unemployment protection or other benefits.
By: and | July 30, 2018 • 5 min read

A growing number of Americans earn their living in the gig economy without employer-provided benefits and protections such as workers’ compensation.

Advertisement




With the proliferation of on-demand services powered by digital platforms, questions surrounding who does and does not actually work in the gig economy continue to vex stakeholders. Courts and legislators are being asked to decide what constitutes an employee and what constitutes an independent contractor, or gig worker.

The issues are how the worker is paid and who controls the work process, said Bobby Bollinger, a North Carolina attorney specializing in workers’ compensation law with a client roster in the trucking industry.

The common law test, he said, the same one the IRS uses, considers “whose tools and whose materials are used. Whether the employer is telling the worker how to do the job on a minute-to-minute basis. Whether the worker is paid by the hour or by the job. Whether he’s free to work for someone else.”

Legal challenges have occurred, starting with lawsuits against transportation network companies (TNCs) like Uber and Lyft. Several court cases in recent years have come down on the side of allowing such companies to continue classifying drivers as independent contractors.

Those decisions are significant for TNCs, because the gig model relies on the lower labor cost of independent contractors. Classification as an employee adds at least 30 percent to labor costs.

The issues lie with how a worker is paid and who controls the work process. — Bobby Bollinger, a North Carolina attorney

However, a March 2018 California Supreme Court ruling in a case involving delivery drivers for Dynamex went the other way. The Dynamex decision places heavy emphasis on whether the worker is performing a core function of the business.

Under the Dynamex court’s standard, an electrician called to fix a wiring problem at an Uber office would be considered a general contractor. But a driver providing rides to customers would be part of the company’s central mission and therefore an employee.

Despite the California ruling, a Philadelphia court a month later declined to follow suit, ruling that Uber’s limousine drivers are independent contractors, not employees. So a definitive answer remains elusive.

A Legislative Movement

Misclassification of workers as independent contractors introduces risks to both employers and workers, said Matt Zender, vice president, workers’ compensation product manager, AmTrust.

“My concern is for individuals who believe they’re covered under workers’ compensation, have an injury, try to file a claim and find they’re not covered.”

Misclassifying workers opens a “Pandora’s box” for employers, said Richard R. Meneghello, partner, Fisher Phillips.

Issues include tax liabilities, claims for minimum wage and overtime violations, workers’ comp benefits, civil labor law rights and wrongful termination suits.

The motive for companies seeking the contractor definition is clear: They don’t have to pay for benefits, said Meneghello. “But from a legal perspective, it’s not so easy to turn the workforce into contractors.”

“My concern is for individuals who believe they’re covered under workers’ compensation, have an injury, try to file a claim and find they’re not covered in the eyes of the state.” — Matt Zender, vice president, workers’ compensation product manager, AmTrust

It’s about to get easier, however. In 2016, Handy — which is being sued in five states for misclassification of workers — drafted a N.Y. bill to establish a program where gig-economy companies would pay 2.5 percent of workers’ income into individual health savings accounts, yet would classify them as independent contractors.

Unions and worker advocacy groups argue the program would rob workers of rights and protections. So Handy moved on to eight other states where it would be more likely to win.

Advertisement




So far, the Handy bills have passed one house of the legislature in Georgia and Colorado; passed both houses in Iowa and Tennessee; and been signed into law in Kentucky, Utah and Indiana. A similar bill was also introduced in Alabama.

The bills’ language says all workers who find jobs through a website or mobile app are independent contractors, as long as the company running the digital platform does not control schedules, prohibit them from working elsewhere and meets other criteria. Two bills exclude transportation network companies such as Uber.

These laws could have far-reaching consequences. Traditional service companies will struggle to compete with start-ups paying minimal labor costs.

Opponents warn that the Handy bills are so broad that a service company need only launch an app for customers to contract services, and they’d be free to re-classify their employees as independent contractors — leaving workers without social security, health insurance or the protections of unemployment insurance or workers’ comp.

That could destabilize social safety nets as well as shrink available workers’ comp premiums.

A New Classification

Independent contractors need to buy their own insurance, including workers’ compensation. But many don’t, said Hart Brown, executive vice president, COO, Firestorm. They may not realize that in the case of an accident, their personal car and health insurance won’t engage, Brown said.

Matt Zender, vice president, workers’ compensation product manager, AmTrust

Workers’ compensation for gig workers can be hard to find. Some state-sponsored funds provide self-employed contractors’ coverage.  Policies can be expensive though in some high-risk occupations, such as roofing, said Bollinger.

The gig system, where a worker does several different jobs for several different companies, breaks down without portable benefits, said Brown. Portable benefits would follow workers from one workplace engagement to another.

What a portable benefits program would look like is unclear, he said, but some combination of employers, independent contractors and intermediaries (such as a digital platform business or staffing agency) would contribute to the program based on a percentage of each transaction.

There is movement toward portable benefits legislation. The Aspen Institute proposed portable benefits where companies contribute to workers’ benefits based on how much an employee works for them. Uber and SEI together proposed a portable benefits bill to the Washington State Legislature.

Advertisement




Senator Mark Warner (D. VA) introduced the Portable Benefits for Independent Workers Pilot Program Act for the study of portable benefits, and Congresswoman Suzan DelBene (D. WA) introduced a House companion bill.

Meneghello is skeptical of portable benefits as a long-term solution. “They’re a good first step,” he said, “but they paper over the problem. We need a new category of workers.”

A portable benefits model would open opportunities for the growing Insurtech market. Brad Smith, CEO, Intuit, estimates the gig economy to be about 34 percent of the workforce in 2018, growing to 43 percent by 2020.

The insurance industry reinvented itself from a risk transfer mechanism to a risk management mechanism, Brown said, and now it’s reinventing itself again as risk educator to a new hybrid market. &

Susannah Levine writes about health care, education and technology. She can be reached at [email protected] Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]