Category Archives: Property/Casualty

Want to scan your crypto wallet for risks? Check: AML crypto BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money.

Secure Messaging in Incident Response and Business Continuity

Posted on by

Today’s businesses face unprecedented risks. As mass interconnectivity replaces operational silos, every aspect of business, from transportation and the supply chain to email, data storage, facilities management and financial transactions, are all vulnerable to compromise, disruption and human error. In addition to the people, processes and technology that are at risk in a crisis, so too are the communications mediums most commonly used for incident notification and response.

At the forefront of defining their organization’s risk management strategies, risk managers, board members, chief security officers and chief information security officers all have a responsibility to initiate both incident response plans and business continuity strategies that transcend the digital and physical worlds. After all, a digital threat can quickly evolve into physical damages and destruction while a physical event can negatively impact digitally-driven business operations. However, if the communications mediums through which companies collaborate and disperse important news and information are also compromised, challenging situations increasingly become more complex.

Secure Messaging’s Role in Incident Response & Business Continuity
All organizations must prepare for out-of-course events. Situations like acts of nature, data breaches or other compromises require planned responses under the assumption that one day they will occur. Yes, different situations will require a different chain of events to take place, but there is one thing that all incident response and business continuity plans have in common: the need for ongoing communication during and after the event.

Whether you represent a power company that needs to notify first responders and emergency managers of an unexpected power outage/grid loss, an IT department discussing a plan of action during and after a ransomware attack, a healthcare team in different parts of a university communicating information during an active shooter event, or an enterprise sending messages to employees during a blizzard, fast, efficient and secure communications are essential.

How risk managers keep their businesses safe, how stakeholders communicate with colleagues and clients during a crisis and how an organization continues operations as quickly as possible is of the utmost importance. In some settings such as healthcare, energy or even on a campus, business can’t stop. So how do we ensure that caring for patients can continue and that we are prepared for any type of incident, emergency or crisis?

The first step is certifying that your company’s communication plans are solid. No one should want to depend on a phone tree in which you never know if someone receives a voicemail, wonder if information sent via fax is shared after receipt, or worry if a text has been compromised.

That means instantaneous response is required. For example, an organization’s proactive incident response personnel can use their secure messaging platform to preemptively set up templates and pre-schedule a series of texts to notify first responders and emergency management offices as well as all field employees during a declared emergency. Replies to these automated communications can be routed to a specific mailbox or group for monitoring and response, or disallowed based on the type of communication and need, providing a central communication hub.

Many communications, even during an emergency, are confidential to the business. They must be retained for compliance and reporting purposes and need to be protected from leaks. Simply put, communications that require confidentiality and secure discussions do not belong on non-secure channels. In these situations, secure messaging platforms allow for rapid, secure notifications and response communications to meet corporate operating procedures and compliance mandates, without worry of third-party surveillance or leaks.

Every organization must proactively prepare to respond in a secure and efficient manner to minimize the impact to employees, clients and its bottom line. With email and SMS texts plagued with inherent risk, secure messaging platforms are emerging as the trusted option to ensure rapid, efficient and secure communications when they matter most.

Are You Prepared for GDPR?

Posted on by

If your work involves personal data, you probably already know the European Union’s (EU) General Data Protection Regulation (GDPR) enforcement date is May 25.

buy vidalista online pelmeds.com/wp-content/uploads/2023/10/jpg/vidalista.html no prescription pharmacy

While penalties for noncompliance can be stiff, the sky may not be falling just yet.

GDPR focuses on personal data originating from the EU, which reaches well beyond the EU’s borders into organizations around the world that collect, process, use and store that data. As a regulation focused on data protection and privacy, GDPR’s impact may extend far outside the EU. For example, there are signs that Latin American countries may be considering a regulation that mirrors GDPR. With the recent Facebook/Cambridge Analytica data privacy fallout, several pieces of privacy-related legislation in the U.S. are currently being considered by federal lawmakers.

Privacy is a risk-based problem. Organizations should assess which risks exist and determine their risk tolerance. With data privacy, these risks are typically financial (such as fines and lawsuits) and reputation (bad press and negative perceptions).

buy tobradex online pelmeds.com/wp-content/uploads/2023/10/jpg/tobradex.html no prescription pharmacy

GDPR also introduces a newer risk into the risk landscape – one related to activist groups potentially using GDPR as a springboard to flood a target organization with data subject requests.

Why GDPR matters and to whom it applies
GDPR applies to personal data originating from the EU. GDPR gives individuals (aka “data subjects”) control and ownership over their personal data. This includes personally identifiable information (PII), IP addresses, biometric data, social identity, along with health, economic, cultural and genetic data. There are two reasons this has gotten so much attention:

  • The GDPR represents the EU’s most sweeping changes to privacy regulations in decades. It requires organizations to be transparent about which data is collected and how it will be used. All data collected must have a purpose and be kept accurate and up to date. Individuals (aka data subjects) now have the power to access their data, fix errors, restrict usage, move data and demand that their data be deleted.
  • The penalties for noncompliance are unprecedented. The law sets out penalties of up to four percent of global revenue or €20 million, whichever is greater. It is not clear at this point how and when these fines will be applied or if they are even enforceable outside the EU. However, the significant size of the potential fines and potential risk of noncompliance captured the attention of organizations around the world.

Large data-driven organizations have been working toward GDPR compliance since the regulation was passed in 2016. A significant number of organizations may not be ready, however. In fact, a flash poll conducted by Baker Tilly during a recent GDPR webinar revealed that 90% of attendees do not have the necessary controls in place to be GDPR-compliant.

What to do today
Preparing for GDPR compliance is a matter of preparing for privacy in general. Whoever you are and wherever you are in the world, consider these steps in your compliance journey:

  1. Identify potential data and systems affected by GDPR: Put a process in place to understand what data you collect and why. Know where it is coming from and where it is stored. You will want to know where you have “data pools” with GDPR relevance and you’ll want to know the scope. Is it one record or one million? Where are the gaps in compliance?
  2. Understand existing data privacy controls: Review your existing data protection controls and assess GDPR compliance. Do you have written security protocols in place? What is your risk exposure? Depending on the type of organization you represent, you may actually be closer to compliance than you think. For example, organizations compliant with NIST, ISO, HIPAA, PCI DSS, Privacy Shield or other frameworks, may be well on the way to GDPR compliance.
  3. Lead from the top and educate: The news cycle is now dominated by the questionable use of personal information and it appears the shift to a data subject-centered environment may very well be here to stay. This issue goes beyond risk management and IT. Marketing, legal, government affairs, HR and communications are just a few of the functional areas touched by privacy issues. They all need to be as committed to data protection as the chief privacy officer.
  4. Be clear about how you will deal with data-subject requests: Once you have a clear picture of the data you possess, it is essential to design, implement and document your processes to correct, transfer and delete that data if required or being able to provide a valid, legal reason for retaining the data.
  5. Determine whether you need a data privacy officer: The GDPR requires that a data privacy officer (DPO) be appointed in most situations. Proactive organizations should consider the organization’s position and strategy. Is privacy an essential piece of the business model (as it is for a bank) or the brand (as it is for Apple)?
    buy imodium online pelmeds.com/wp-content/uploads/2023/10/jpg/imodium.html no prescription pharmacy

    The answer may well influence whether or not you define a new area of leadership and accountability.

Looking ahead
There is a shift taking place. People used to accept (or not know) that their online data and personal information were being tracked and used by others. Many people seemed to think this was simply the price of being online. Now, people are questioning how their data is being used and governments are starting to listen. GDPR is the likely first step toward far more widespread change.

This is not about solving every single detail today. Most experts believe that a well-documented plan and clear effort to comply with the GDPR will make conversations with supervisory authorities significantly easier. Do the homework ahead of time, know your landscape, get your systems in place, be transparent and be ready to pivot when necessary. Do that, and you will be miles (or kilometers) ahead of everyone else next time a new law or regulation goes into effect.

Confronting D&O Insurers’ Efforts To Carve Back Subpoena Coverage

Posted on by

Whether a government subpoena constitutes a “claim” is a frequently contested issue between D&O insurers and their policyholders. D&O policies—at least with respect to coverage for private companies and individual insureds at any company—typically define “claim” through multiple subparagraphs: first, a broad and generalized subparagraph that usually references a “written demand for monetary or non-monetary relief,” followed by several narrowly framed subparagraphs that address more specific situations, such as “a civil or criminal proceeding commenced by the service of a complaint or similar pleading.” Most courts have held that generalized language, such as any “written demand for . . . non-monetary relief,” must be read expansively to encompass government subpoenas.

Insurers trying to avoid covering costs incurred by policyholders in connection with government subpoenas sometimes respond to these decisions by arguing that the generalized subparagraph should not be read broadly if one or more subsequent specific subparagraphs reference government subpoenas (or government investigations). For instance, an insurer may argue that a subparagraph expressly providing coverage for government subpoenas issued to individuals implicitly narrows the meaning of “written demand for . . . non-monetary relief” to foreclose coverage for government subpoenas issued to corporate entities. Similarly, an insurer might contend that a subparagraph explicitly providing coverage for subpoenas issued by the Securities and Exchange Commission implicitly narrows the meaning the meaning of “written demand for. . . non-monetary relief” to preclude coverage for subpoenas issued by other government agencies. Policyholders should be prepared to reject such arguments, as they ignore both well-established law regarding the interpretation of insurance policies (which prohibits insurers from limiting coverage by implication) and the typical structure of D&O policies (which contemplates that the subparagraphs defining “claim” will complement, not limit, each other).

First, it is well settled that provisions in an insurance policy setting forth the scope of coverage must be understood in their most expansive and inclusive sense for the policyholder’s benefit, while language that would limit coverage must be narrowly and strictly construed against the insurer (especially where that language would negate coverage provided elsewhere in the policy). Additionally, courts and commentators agree that any limitations on coverage must be stated in clear and unmistakable terms and cannot be extended by implication. Further, to the extent that there are any ambiguities in a policy’s terms, those ambiguities must be resolved in favor of coverage. Given these rules of construction, insurers have no basis to argue that a specific subparagraph in the definition of “claim” implicitly removes coverage that would otherwise be available under the generalized subparagraph.

Second, the multiple subparagraphs defining “claim” are intended to supplement, not restrict, each other. Insurance policies are often drafted with what courts have referred to as a “belts and suspenders” approach, and the definition of “claim” in D&O policies is one such example, where the generalized subparagraph is the belt ensuring coverage for a broad range of losses, whether or not they are enumerated in the specific subparagraphs, and the specific subparagraphs are the suspenders providing additional certainty on issues of particular importance to a policyholder. This additive approach to defining “claim” is also mandated by the use of the connector “or” between subparagraphs, a word that courts have consistently held requires that each of the connected provisions be given separate meanings that do not modify each other. This reading is also consistent with the many court decisions holding that a “written demand for . . . non-monetary relief” includes government subpoenas, as those courts reached their rulings despite the presence of multiple specific subparagraphs in those policies’ definitions of “claim.”

For these reasons, policyholders faced with an insurer attempting to deny or restrict coverage for government subpoenas by implication should be prepared to respond forcefully and push for coverage under the broad and generalized subparagraph that promises coverage for any “written demand for monetary or non-monetary relief.”

Implications of Flood Risk

Posted on by

Across the vast geography of the United States, flood is no stranger to any of the states. From the March 2018 Nor’Easters that slammed the East Coast to the numerous storms and hurricanes that have swept across the country, both coastal and non-coastal regions are all at risk of flood.

FEMA reports that 98% of the U.S. counties have been impacted by a flooding event in the past, and 2016 and 2017 are examples of both the frequency and severity that the peril poses. According to Munich Re’s Geo Risks Research, there were more floods in the U.S. in 2016 than any year on record. Hurricane Harvey, the eighth named storm in the 2017 Atlantic hurricane season, caused large flood losses and is reported as the second costliest hurricane in U.S. history after Hurricane Katrina. Major losses from Katrina were caused by flooding due to levee failure.

The National Flood Insurance Program (NFIP) was enacted by Congress with three main pillars: affordable insurance, floodplain management and flood mapping.  Since its inception, the program has helped thousands of home owners with total claims exceeding $65 billion. The NFIP’s role in aiding homeowners was evident during the weeks and months following Hurricane Harvey. According to FEMA, as of January 2018, more than 91,000 NFIP policyholders had filed claims for Hurricane Harvey, and FEMA has paid more than $7.6 billion in losses to those policyholders. the economic losses of Hurricane Harvey, however, are likely to reach $85 billion. Even after considering the commercial insured losses, the gap between the insured and economic losses, known as the “protection gap,” is huge.

Based on events like Hurricane Harvey and Superstorm Sandy it is likely that as many as 80% of the homes in Houston were not insured for flood. In fact, according to the Insurance Information Institute, only about 12% of the home owners in the United States purchase flood insurance; this statistic is even lower in inland states. The number of NFIP policies in the Mississippi River states (which excludes Louisiana) is about 5% of the total NFIP program. Using current building stock data from Homes.com, this would make the purchase rate for flood insurance in the Mississippi states at less than 2%.

Why is there such a large protection gap and why is it important to narrow this gap?

A Floodzonedata.us study by the New York University (NYU) Furman Center found that there are about 6.9 million housing units within the 100-year flood plain as defined by FEMA. According to a February 2018 scientific study in IOPscience, however, “Estimates of present and future flood risk in the conterminous United States,” the actual number of exposed houses could be as high as 15.4 million. In addition, a September 2017 audit by the Department of Homeland Security Office of Inspector General noted that, as of December 2016, only 42% of FEMA’s flood maps are up to date and valid. Both Superstorm Sandy and Hurricane Harvey demonstrated several instances of FEMA maps being inadequate to evaluate the extent of flooding.

Extreme events like Harvey should be viewed as an opportunity for resilience initiatives.  Jeffrey Heberg, Chief Resilience Officer for New Orleans, notes that the key to resilience is insurability. In fact, studies highlight the importance of high insurance penetration and the correlation to strong resilient countries.

The stark contrast in the insurance penetration between Chile, Haiti and New Zealand provides an example of the impact the insurance industry can have towards financing the losses from major catastrophes. Following earthquakes in 2010, New Zealand and Chile showed faster recovery due to high insurance penetration and thus the ability to absorb losses, whereas Haiti went through a very slow recovery process due to the lack of catastrophe (re)insurance.

While insurance is an important factor, financial resilience through insurance is not enough. There is a further need for a comprehensive approach to mitigate severe natural catastrophes. This is when public private partnerships (P3s) play a crucial role. In New Zealand, the government-owned earthquake commission, with reinsurance in the global market, resulted in insurance penetration of up to 80%. A similar example of P3 in the United States is the reinsurance protection sought by FEMA to reinsure the NFIP against extreme events.

Public private partnerships rely on the government’s ability to ensure adequate loss prevention, build physically resilient structures and implement forward-looking municipal planning (such as futuristic view of flood maps and flood plain management). If people reside in and build more resilient structures, not only can it help save lives, but the cost of insurance could be less, and the probability of loss and recovery time will be less for communities.

It is not only important to focus on building resilient communities to help protect them from natural catastrophes, it is now becoming a crucial requirement for cities and states.  Standard & Poor’s emphasizes the importance of disaster insurance arrangements on sovereign financial resilience. The September 2015 Standard & Poor’s Rating Report notes that a lack of insurance coverage for significant catastrophic events could negatively impact sovereign ratings resulting in a downgrade. As recent as November 2017, Moody’s reported the incorporation of climate change into its credit ratings for state and local bonds. This would mean that communities, cities and states may get downgraded unless they show sufficient adaptation and loss mitigation strategies.

The time for resilience is now. As geographic regions that were once sparsely populated are now filled with burgeoning cities there is so much more at risk from today’s extreme weather events. Insurance can play a role in helping communities recover. Insurance alone, however, is only a partial solution. We also need to build resilient communities to help mitigate the damage caused by flood.