Coverage Disputes Over Online Attacks Grow

cyber coverage

A federal court has ruled that an insurer’s professional liability policy must pay out $6 million for a company’s losses from a business e-mail compromise scam, even though the business lacked cyber coverage.

The ruling is part of a growing trend of businesses that haven’t purchased cyber insurance seeking coverage for cyber-related losses from other policies they do have, such as business liability, professional liability, and directors & officers (D&O) coverage.

Seeking coverage for cyber losses and for e-mail compromise scams from other than cyber policies is not often successful, and whether the insurer will pay out can depend on the nature of the loss.

In this latest case however, a judge in the U.S. District Court in the Southern District of New York ruled that American International Group must cover $5.9 million that a company had been duped out of by Chinese hackers in 2016.

AIG had disputed the claim saying that the professional liability policy the business had does not cover “criminal acts,” adding that it had never sold the company a cyber policy.

These disputes are becoming more common and you should pay attention to your policy exclusions, as well as consider cyber insurance, if you have assets that could be exposed through a cyber attack or fraud.

How was the business scammed?

SS&C Technologies received spoof e-mails that purported to come from one of the company’s clients, Tillage Commodities Fund, a commodities investment firm. The e-mails instructed the company to make six wire transfers to a bank account in Hong Kong.

The scammers masqueraded as Tillage employees with e-mail addresses that spelled “Tillage” as “Tilllage.”

But according to court documents, there were telltale warning signs that the e-mails were fishy:

  • One e-mail asking SS&C to wire $3 million contained only the words “How was your weekend?” and then the wire transfer details.
  • E-mails included grammatical errors and unusual syntax like “Let’s round up business today.”

Based on the above, staff at SS&C were not too diligent in looking out for possible

business e-mail compromise scams involving a third party hacker posing as someone else (a client, a vendor or even a manager or president of the targeted company) via e-mail and requesting a wire transfer into a bank account.

This type of scam, which cost organizations $300 million every month in 2018, according to the U.S. Department of Treasury, is covered by a standard cyber insurance policy.

SS&C did not have a cyber policy, so it sought coverage under its professional liability policy for the losses it sustained when transferring those funds. AIG did pay for SS&C’s legal defense costs after Tillage Commodities sued, but refused to cover the $5.9 million in stolen funds.

According to court documents, AIG’s policy included a clause that it would not provide indemnity coverage for losses arising from “dishonest, fraudulent or criminal acts.”

What this means for your firm

While this case worked out for the insured party, businesses should not rely on their non-cyber insurance policies to continue paying claims. As costs for cyber attacks like ransomware, malware, stolen data and business e-mail compromise scams grow, insurers are increasingly including clauses that explicitly exclude coverage for those risks.

If you have any important company assets in digital form and/or make or receive payments online, it would be wise to secure a cyber insurance policy.

If you don’t, you can try to seek coverage under other policies. That it may be difficult to obtain, but not impossible.

For example, if your company has D&O liability insurance and/or crime insurance, it may be able to seek coverage for any ransomware events since those policies will typically include coverage for kidnapping and ransom.

Some insurers are now providing — either deliberately or unintentionally — kidnapping and ransom coverage that applies to ransoms paid in response to cyber extortion. Among the events that these policies may consider cyber extortion are:

  • Threats to poison a computer system with malware.
  • Threats to change, damage or destroy programs or data stored on a system if the owner does not pay a ransom.

That said, many insurers who provide this coverage likely did not anticipate covering ransomware losses and have started changing their D&O and crime policies to specifically exclude ransomware.

Other insurers have added deductibles to the coverage, mirroring the terms of cyber policies, while others have capped the amount of business interruption coverage they will provide for cyber-extortion losses.

New Rules Require Employers to Provide IIPP upon Request

work safety IIPP

New Cal/OSHA regulations will require employers to provide access to their injury and illness prevention programs upon request.

Under the new rule, which is expected to take effect in April, employers will be required to provide a copy of their IIPP within five days upon an employee’s or an employee’s representative’s (a lawyer’s) request. The employer can provide it in electronic or printed form.

That said, the new rule excludes requests for records of the steps the employer has taken to implement and maintain the IIPP. This was excluded at the behest of employers who raised concerns that allowing such requests would give attorneys a green light to file requests in hopes of discovering errors or “improprieties.”

Despite the current absence of a rule, many employers already provide employees access to the IIPP through the availability of printed and/or electronic copies.

“For employers that do not currently provide such access, they will need to ensure that employees can access a free copy of the IIPP directly or through a designated representative upon request,” Cal/OSHA’s board staff wrote in the “Final Statement of Reasons” for the rulemaking package. “As such, providing access need not be a complex procedure requiring costly development.”

Employer groups had lobbied for a 10-day window for providing the IIPP, while labor groups wanted a faster timeline of just 48 hours. The board compromised with the five-day rule.

The rule was needed because the current IIPP standard does not explicitly state that employees should have access to their company’s IIPP.

Current IIPP standard

Every employer in California is required to have an effective IIPP. This basic safety program for your workplace addresses the hazards your employees face at work each day, and it must be in writing.

Cal/OSHA has a guide for creating an IIPP.

But, you should not just create an IIPP because you have to. Going through the process of creating an IIPP ― as well as updating it periodically ― can also help your organization by:

  • Preventing workplace injuries.
  • Reducing your workers’ compensation insurance rates.
  • Helping you to find ways to boost your workflow.
  • Improving the bottom line of your business.

Elements of an effective IIPP

  • The plan is in writing and reflects what you actually do.
  • A point-person, who is in charge of managing the IIPP process.
  • Input from department heads as well as rank and file employees when updating or creating your IIPP.
  • Requiring that everyone follows the rules of the program.
  • A system for reliable, prompt communication between supervisors and line employees on safety.
  • Conducting regular inspections to identify hazards.
  • A framework for investigating accidents and illnesses, to discover the cause and to prevent recurrence.
  • Requiring that hazards are corrected promptly when found.
  • A regimen for training employees on the hazards they may encounter at work.
  • Documentation of training and workplace inspections.

It’s Time to Post Your Form 300A!

form 300 A

We are reminding employers to post OSHA Form 300A from Feb. 1 to April 30, as required by law.

Form 300A, which lists a summary of the total number of job-related injuries and illnesses that occurred last year, must be posted in a conspicuous place where it is visible to all of your employees.

The summary must include the number of job-related injuries and illnesses that occurred in 2019 and were logged on OSHA Form 300, “Log of Work-Related Injuries and Illnesses.”

To assist in calculating incidence rates, information about the annual average number of employees and total hours worked during the calendar year is also required.

If your business recorded no injuries or illnesses in 2019, you must enter “zero” on the total line and still post the form, which must be signed and certified by a company executive. Form 300A should be displayed in a common area where notices to employees are usually posted.

Certain employers are exempt from the posting requirement, including:

  • Small employers ― those with 10 or fewer employees at all times during the year.
  • Employers in low-hazard industries ― see list of partially exempt industries at: (PDF).

 

If you don’t have copies of forms 300 and 300A, you can find them here.

Employer Guide for Dealing with the Coronavirus

coronavirus

As the outbreak of the 2019 novel coronavirus gains momentum and potentially begins to spread in North America, employers will have to start considering what steps they can take to protect their workers while fulfilling their legal obligations.

Employers are in a difficult position because it is likely that the workplace would be a significant source of transmission among people. And if you have employees in occupations that may be of higher risk of contracting the virus, you could be required to take certain measures to comply with OSHA’s General Duty Clause.

On top of that, if you have workers who come down with the virus, you will need to consider how you’re going to deal with sick leave issues. Additionally, workers who are sick or have a family member who is stricken may ask to take time off under the Family Medical Leave Act.

Coronavirus explained

According to the Centers for Disease Control, the virus is transmitted between humans from coughing, sneezing and touching, and it enters through the eyes, nose and mouth.

Symptoms include a runny nose, a cough, a sore throat, and high temperature. After two to 14 days, patients will develop a dry cough and mild breathing difficulty. Victims also can experience body aching, gastrointestinal distress and diarrhea.

Severe symptoms include a temperature of at least 100.4ºF, pneumonia, and kidney failure.

Employer concerns

OSHA — OSHA’s General Duty Clause requires an employer to protect its employees against “recognized hazards” to safety or health which may cause serious injury or death.

According to an analysis by the law firm Seyfarth Shaw: If OSHA can establish that employees at a worksite are reasonably likely to be “exposed” to the virus  (likely workers such as health care providers, emergency responders, transportation workers), OSHA could require the employer to develop a plan with procedures to protects its employees.

Protected activity — If you have an employee who refuses to work if they believe they are at risk of contracting the coronavirus in the workplace due to the actual presence or probability that it is present there, what do you do?

Under OSHA’s whistleblower statutes, the employee’s refusal to work could be construed as “protected activity,” which prohibits employers from taking adverse action against them for their refusal to work.

Family and Medical Leave Act — Under the FMLA, an employee working for an employer with 50 or more workers is eligible for up to 12 weeks of unpaid leave if they have a serious health condition. The same applies if an employee has a family member who has been stricken by coronavirus and they need to care for them.

The virus would likely qualify as a serious health condition under the FMLA, which would warrant unpaid leave.

What to do

Here’s what health and safety experts are recommending you do now:

  • Consider restricting foreign business trips to affected areas for your employees.
  • Perform medical inquiries to the extent legally permitted.
  • Impose potential quarantines for employees who have traveled to affected areas. Ask them to get a fitness-for-duty note from their doctor before returning to work.
  • Educate your staff about how to reduce the chances of them contracting the virus, as well as what to do if they suspect they have caught it.

If you have an employee you suspect has caught the virus, experts recommend that you:

  • Advise them to stay home until symptoms have run their course.
  • Advise them to seek out medical care.
  • Make sure they avoid contact with others.
  • Contact the CDC and local health department immediately.
  • Contact a hazmat company to clean and disinfect the workplace.
  • Grant leaves of absence and work from home options for anyone who has come down with the coronavirus.

If there is a massive outbreak in society, consider whether or not to continue operating. If you plan to continue, put a plan in place. You may want to:

  • Set a plan ahead of time for how to continue operations.
  • Assess your staffing needs in case of a pandemic.
  • Consider alternative work sites or allowing staff to work from home.
  • Stay in touch with vendors and suppliers to see how they are coping.
  • Consider seeking out alternative vendors should yours suddenly be unable to work.