Sponsored: Starr Companies

Everyone Gets Hacked

No company is safe. Know how to prepare for and recover from a cyber attack.
By: | December 14, 2015 • 5 min read

All aspects of modern business increasingly rely on electronic devices and the Internet. From finance to sales to HR – technology is completely enmeshed in our daily lives.

Unfortunately, it sometimes takes an attack to demonstrate just how vulnerable we really are to cyber intrusion. And while the media focuses attention on highly regulated industries like health care, finance and retail, the extent of the problem is much broader and deeper.

“There are those that have been breached and know it, and then there are those who have been breached and don’t know it. The media highlights the high-profile cases, which should serve as a wake-up call for all organizations. A cyber breach can happen to any company,” said Annamaria Landaverde, National Cyber Practice Leader for Starr Companies.

While it may be inevitable that you will be the victim of a cyber attack, there are many things that can be done to mitigate the risk. By focusing on an emerging set of best practices, your company will be much better positioned to defend and protect your systems but also to repair and recover if those defenses are breached.

Starr_SponsoredContent“Every company needs to focus as much time on protecting their networks as the hackers do trying to get to them. We view our role as a partner to help you stay on top of the latest technological threats and give you the tools to protect your company from cyber attack.”
— Annamaria Landaverde, National Cyber Practice Leader, Starr Companies

Prepare, Prevent and Protect

A sound cyber risk management program is built upon many different and interconnected pillars. To assist clients in these efforts, Starr Companies offers a complete suite of Risk Management Tools.

“Our team invests a lot of time into curating and managing the tools available to our clients. We recognize that preparation is the most critical aspect in mitigating the risk and we want to help our clients prepare, prevent and protect to the best of their abilities,” said Landaverde.

These risk management tools include self-assessments, calculators, risk management frameworks and a web portal with news, pre-vetted experts and other resources. “While other insurers may offer a web portal, few invest as much effort to ensure that the information is as complete and high quality,” added Landaverde.

And while many factors need to be considered for a cyber risk management program, there are some critical steps that Landaverde recommends you pay particular attention to. These include:

  • Create an incident response team – Know which person within the organization is responsible for which roles when responding to a cyber incident.
  • Classify your data – Understand what type of data is stored on your systems, where it’s stored, and then take it a step further and segment the data so the most sensitive data has the most controls and protections around it.
  • Analyze access points – Who has access to what systems and networks? Consider employees, vendors and third parties. Do they still need access? Can it be limited?
  • Provide employee training – Surprisingly, inside user error is a growing cause of cyber security issues. Hackers can gain access to a company’s network through phishing emails and social engineering. Stop these incidences by making employees aware of these tactics and how to handle them.

“Once a company has a sound risk management framework in place, then you buy insurance,” said Landaverde. “Starr’s Security & Privacy Risk Response™ policy encompasses the full range of breach response and recovery, such as class action lawsuits or regulatory agency proceedings, business interruption and downtime, and expenses associated with the management of responding and recovering from a breach.”

Respond Effectively

Starr_SponsoredContentUnfortunately, even the best risk management program can’t prevent every cyber attack.

But when the inevitable occurs, the effectiveness of responding to an attack is often proportional to the investment in preparing and protecting an organization’s digital infrastructure.

Immediately after an attack, the company’s incident response team will deploy its crisis plan. Communication with all affected stakeholders is key! Experts will need to help identify the type of incident, what was affected, and contain the loss. It may be necessary to consult with legal, and comply with any regulatory and privacy requirements, state and federal laws, and industry-specific regulations. It may be necessary to notify clients, provide credit monitoring or credit counseling services, set up a call center, or offer other services.

And if you are unlucky enough to be in the media spotlight during this time, the effectiveness and depth of your pre-planning will become very clear.

“In the case of a breach, we always recommend that our clients immediately notify us. While the natural reaction might be to wait until you know the extent of the damage before contacting your insurer, in the case of a cyber attack, time is of the essence,” said Landaverde. “We have the resources and experience to help you through the process and most importantly, minimize the damage.”

Starr’s eRisk Hub portal provides risk managers with various pre- and post-breach resources, including, law firms, IT experts and forensic investigators, who can walk through what steps to take. In addition, a Breach Coach® is available 24/7 to offer 30-minute free consultations. “They help assess the severity of the situation and provide guidance on the immediate actions you should take once a breach is discovered. This fast response is vital,” said Landaverde.


After a breach, it is critical to understand how the breach occurred and to implement processes to prevent it from happening again.

Starr’s risk management tools provide access to IT experts who can help repair, replace, recover and rebuild after a loss. This is necessary to ensure that the vulnerabilities that led to the breach are patched and that all systems are secure. The incident response team will want to analyze what happened, how the company responded and what can be done to avoid future issues.

“You don’t really hear too much about the recovery piece in the media, as all of the focus is on the notification, but there’s a lot that has to go on after the dust settles,” said Landaverde. “Sit down with your incident response team and your C-Suite, and discuss lessons learned, identify where the improvements need to take place, and implement those updated controls or updated systems. Most importantly, update your crisis plan.”

No Company is Safe

As cyber attacks continue to increase in frequency, the costs to remediate the consequences also grow. It’s important for every company to recognize the real threat of cyber breaches and take steps like the ones mentioned here to prevent and minimize damage.

“Every company needs to focus as much time on protecting their networks as the hackers do trying to get to them,” said Landaverde. “We view our role as a partner to help you stay on top of the latest technological threats and give you the tools to protect your company from cyber attack.”

Starr Companies is the worldwide marketing name for the operating insurance and travel assistance companies and subsidiaries of Starr International Company, Inc. and for the investment business of C. V. Starr & Co., Inc. and its subsidiaries.


This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Starr Companies. The editorial staff of Risk & Insurance had no role in its preparation.

Starr Insurance Companies is a global commercial insurance and financial services organization that provides innovative risk management solutions.

More from Risk & Insurance

More from Risk & Insurance

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.


That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.


Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]