OpenDNS, a provider of security services, has an online phishing quiz that you and your employees can take. You can bring up about 14 different browser screens and choose whether it is a legitimate website or a phishing website. At the end, you will get a score and, below that,

information on indicators that will help you distinguish the difference between phishing sites and real websites.

You can take the phishing quiz at:   http://opendns.com/phishing-quiz/

The more your employees know what legitimate websites look like and what indicators to look for, the better they are at recognizing suspicious screens.

The Government Contractors Defense (GCD) provides a level of immunity for liability claims brought by a third party when they have incurred damages or injury caused by the independent contractor, his products, or services. However, this is not an automatic shield of protection. It does not relieve the FGC from expenses incurred to defend themselves. If your company is sued, the court may relieve you from all liability resulting from the claim, but you are still responsible for all defense costs. And, what if the court decides not to grant you the immunity? There is nothing in the Federal Acquisition Regulations (FAR) that states the government has to provide the immunity.

The Government Contractors Defense does not apply if one business partner sues another. Most Federal Government contracts involve a prime contractor and a number of different subcontractors. It is not uncommon for litigation to ensue between a prime contractor and one of the subcontractors for financial injury because of the failure of the subcontractor to perform under the contract. The most common reasons are a delay in delivering the service or product on time or a failure of the product to perform as needed. Business partner litigation is not protected under the GCD.

Many products or services provided by FGC’s aren’t exclusive to the Federal Government and are provided to the commercial market where they are not protected by the governmental immunity. Also, most products or services sold to foreign governments would not be afforded immunity under the Government Contractors Defense (GCD).

Federal Government Contractors (FGC) need a broker with expertise in this area to assist them with the selection of the proper risk management programs and insurance coverage. An expertise which very few agents or brokers possess.

It is common practice to enter into contractual agreements to formalize the terms and responsibilities of all parties. The contracts will often include an indemnity agreement, also known as a hold harmless agreement, as a means to transfer risk from one party to another. There are 3 kinds of indemnity or hold harmless clauses typically contained in contracts: limited, intermediate and broad form. Each type determines the level of negligence for which the parties are being asked to agree.

To support the terms of the indemnity agreement, the contract will often include insurance requirements. These insurance requirements often identify the coverage, limits, and other terms that your client requires you to provide.

The insurance section may ask you to name your client as an additional insured on your policy. When you agree to do so, you have agreed to share your limits with your client in the event of a loss that results from your negligence and names both you and your client in a lawsuit. The intent of an additional insured endorsement is not to provide coverage for the additional insured’s sole negligence. However, you may be able to obtain coverage for the additional insured’s contributory negligence. It is important that the additional insured coverage in the policy satisfies the contract requirements.

Don’t be confused – additional insured coverage is different than additional “named” insured. If a contract asks you to name your client as a “named” insured, the clause should be removed from the contract. Your insurance policy will not provide coverage for a “named” insured that does not have more than 50% common ownership.

Some contracts include outdated insurance terms and limits that are unreasonable when compared to the cost or scope of the job. For example, we have seen contracts ask for unlimited liability; or contracts that require coverage for any and all losses. Obviously all policies have aggregate limits and exclusions; so if you agree to terms like this, you are agreeing to self insure without limitation any loss or damage including that which your policy will not cover.

Be cautious when reviewing the indemnity agreement to determine the extent of your company’s liability. Once the scope of the requirements is understood, you may want to negotiate the terms to limit your exposure. Negotiating with some of the larger corporations can be a challenge; especially those who use intermediaries armed with insurance coverage check lists with little room for change. We have found that you can be successful even in these situations, when you have the right assistance. It is important that your desire to bring in new revenue doesn’t overshadow the added liability you could be agreeing to and that may not be insured.

SANDERSON RISK ADVISORS

3151 New Germany-Trebein Rd

Beavercreek, OH 45431

1-888-368-7248

P: 937-306-6426

F: 937-878-2917

www.SandersonRiskAdvisors.com

www.TechAssure.com
 

While the nuts and bolts of cloud computing have been around for several years, there is still some confusion as to how cloud computing services work. In the simplest of terms, cloud computing is the delivery of computing as a service over the internet and does not require the end-user to maintain the software, data or network servers at their physical location. The end-user gains several advantages including scalability and reduced costs. However, there are also some disadvantages to keep in mind.

Why should we care?

In a cloud environment, geography loses meaning. When we store data on our own network servers, we have some idea where our data is at any point in time and the security features we have in place to protect that data. When we move our data into the cloud, we lose that ability and may be relying on ineffective old-world security models.

What should we be doing to protect ourselves?

1. As a purchaser of cloud computing services you must understand that the priority of the service provider may not be security, but instead providing you with low cost, scalable applications. A recent study published by Ponemon Institute indicates that a majority of cloud providers believe security is the responsibility of the subscriber, while subscribers feel that the service provider is responsible for security.
2. Standard service agreements may need modification; however, you may not have the option. For example, if you are no longer able to access information due to a service provider disruption, what is your plan for retrieving information saved in the cloud?
3. Know what information you are moving into the cloud. It may not be appropriate to move all data into the cloud and users must plan to ensure that only intended information is transferred.
4. How does the cloud impact your compliance with various regulations or contractual requirements? With numerous state and federal laws, and foreign regulations, it is important to understand how moving information beyond your physical control may impact you. Are you still in compliance with all of your contractual agreements?
5. If your information is accidentally accessed or breached while in the cloud – how will you determine the cause, what was accessed, etc.? Does your cloud service provider allow you to conduct forensics to investigate the cause of the breach, or to determine what was impacted? If you do have those rights with your provider, will your forensics team be able to conclude what happened quickly enough to comply with various laws and regulations regarding data privacy? Who is responsible for paying the compliance costs associated with meeting these legal requirements?

The list above is not all-inclusive and is intended only to be a starting point for discussion. Whether you have actively decided to move information into the cloud or not, there is a strong possibility you are already engaged with a service provider who has services housed in the cloud. For more information on risk management and insurance solutions for your exposure to cloud computing contact David or Richard at:

Sanderson Risk Advisors
3151 New Germany-Trebein Rd
Beavercreek, OH 45431
1-888-368-7248
P: 937-306-6426
F: 937-878-2917
www.SandersonRiskAdvisors.com
www.TechAssure.com

Contributed by Kirstin Simonson
Underwriting Director, Global Technology, Travelers

Why is this aspect of your vacation or business trip so difficult to find a definitive solution?

1) Every rental contract can be different as to what that particular company wants to hold you responsible for. These are very one sided contracts and can cause a lot of financial stress and emotional distress, if a loss occurs. The rental agencies emphasize “they are not providing insurance”, so they don’t fall under any state insurance department regulations.

2) Some states have laws that limit or allow what provisions can be put in a rental agreement. The same rental company can have a different contract depending on which states they are operating in. Most American insurance companies will only provide coverage for the United States, its territories and possessions and Canada. You MUST buy local insurance in all other countries.

3) Credit card companies tout the benefits they offer their customers including rental car coverage, but this protection is usually excess over any other available coverage. This is a last resort type of coverage and then they have their own limitations and exclusions.

4) Even if you buy the coverage from the rental agency, you can void the coverage by certain actions of the renter or driver.

5) The coverage under your personal or business auto policy won’t provide coverage for all of the damages that the rental agreement holds you responsible for.

SOLUTION 1

The renter can purchase all of the coverage under the rental agreement. You think that by purchasing the basic liability, plus the increased liability coverage of $1,000,000 and the damage waiver coverage on the car, you can just turn the keys in at the rental desk and walk away, in the event that you have a claim of any kind. An accident is more likely to happen in a strange city where you are busy looking for signs instead of watching traffic, so you decide to pay up front. The drawbacks are the high cost of this approach and even at this high cost you don’t get what you expect. First, the basic liability coverage is excess over any other coverage you may have. So you are going to have to turn the accident into your own company, anyway, before the basic rental liability will apply. The $1,000,000 limit, that you paid extra for, can be excess coverage, also. Some rental contracts will make this primary coverage when you buy the $1,000,000 limit, but NOT ALL, so you have to read the contract or confirm the coverage before you arrive. The collision damage waiver is good protection on the rental car itself. With this, you get first dollar coverage for any damage to the rental car, any loss of use charges, claim expenses, diminished value from the claim, or any salvage charges, but the renter or driver can easily void the coverage under the collision damage section of the rental agreement. The most common exclusions that void coverage are: 1) Driving while under the influence of any substance that is known to impair one’s driving ability. This can be drugs, alcohol (their policy doesn’t state legally intoxicated so a single drink could void coverage) or medication; 2) You let someone not listed on the rental agreement drive (this can be a valet at a restaurant or hotel as well as a companion); 3) Driving on unpaved roads; 4) You’re charged with reckless or careless driving. 5) You leave the keys in the car & it is stolen; 6) you leave the state without prior written permission. If an accident causes a serious injury, you can exhaust the liability limits provided by the rental agreement and still have to involve your personal or business auto policy.

SOLUTION 2

Rely on your own auto liability coverage and just purchase the damage waiver coverage from the rental agency. This is the option that I usually choose. Your legal liability for injury or damage to someone else because of an accident that you cause is covered by state law and the rental agreement doesn’t generally apply. Your personal or business insurance company deals with the other party just as if you were driving your regular vehicle. By purchasing the damage waiver, you don’t have to worry about any damage to the rental car, deductibles, loss of use, diminished value, salvage cost, or anything else the contract states as long as you didn’t do any thing to void the coverage, as stated above. The disadvantages are you can void the coverage that you just purchased. The cost still adds up if you have a long rental or if you do it often, and your personal or business auto rates will increase because of the liability claim they handle.

SOLUTION 3

Don’t purchase any rental car coverage from the rental agency and rely solely on your own auto policy. The is the least expensive option, but you are responsible for all damages to the vehicle and the rental agreement, that you signed, holds you responsible for certain other damages that your regular personal or business auto policy won’t cover. Typically, by signing the rental contract, you are agreeing to be responsible for: lost rental income while the car is repaired (even if it takes longer than it should); diminished value of the rental vehicle because of the accident; at their option, the difference between the salvage value of the vehicle and the value of the vehicle when you signed the agreement, if they decide not to repair it and sell it for salvage: or anything else they decide to add to the contract. Your personal or business policy won’t pay for diminished value. It will pay for a certain number of days of lost income( or a certain dollar value) while repairs are done, but the rental agency may be slow in getting it done and bill you for more lost time than the insurance company authorized. An example of the salvage situation is: you rent a $30,000 car, have a $7000 accident, the rental agency (at their option) decides not to put it back into service and sells the car for salvage value and gets $14,000. The rental agency gets the $14,000 salvage value plus the $7000 from the insurance company for a total of $21,000 and bills you for the $9000 difference to get the $30,000 original value. To make things even worse, you are still going to have to pay your normal deductible and your rates are going up because of the accident surcharge. This can happen for an accident that isn’t even your fault, but the other party doesn’t have insurance. The rental agency doesn’t care. They just want their money. As you can see, you are taking a big risk if you don’t buy the collision damage waiver protection and then you have to be careful to add all drivers and don’t void the coverage in some way.

Now for the disclaimer, this is a general discussion of most rental car contracts and typical coverage for most insurance carriers. Most business auto policies will have a limit of $25,000 or $50,000 coverage for rental vehicles, so be sure to check your limit. Most personal auto policies will exclude any trucks larger than a small pickup truck. In some cases you may have no option but to take the rental agency coverage. This article is intended to give you a better understanding of the risks involved in renting vehicles and, therefore, you can make a more informed decision as to the amount of risk you can handle. There can be other provisions, restrictions, limits, or exclusions in various rental agreements and insurance policies, but this just addresses some of the more common areas. Businesses that have a lot of rentals may want to set up a reserve fund to pay for any damage and fund it with the money they save by not purchasing the Damage Waiver on each rental. Businesses that have an account with a major rental agency can negotiate some concessions such as: all employees and spouses are covered drivers. Check with your rental agency and see how many of these responsibilities you can negotiate out of the standard rental agreement.

Everybody has heard about Cyber risks and the number of high profile data breaches that have occurred recently, but I still think many risk managers and most technology company owners don’t take the threat seriously. They think “it won’t happen to me, I’m a small company not somebody like Sony”, but then I wouldn’t have thought that a playstation would be a cyber target or they may think I don’t keep clients information, my technology service isn’t in the banking or healthcare sector, or some other reason they won’t be targeted. The incidents of hacking, insertion of malware or ransom ware, denial of service attack, or APT attacks is larger than people think. According to Identity Theft Resource Center over half of data breaches are never reported. An APT attack could be sitting in your computer now and you don’t even know it is there. What is an APT attack? This stands for “Advanced Persistent Threat”. These are consistent, multidimensional, sophisticated attacks. These are the most deadly attacks and many times are state sponsored to get top secret national information. These are attacks that technology companies in the Defense Industry need to worry about. The hacker tries to remain undetected for as long as possible and to steal organizations information for as long as possible. This used to be a government problem, but now they are targeting business to get company inside information for inside trading, product processes or ingredients, or other intellectual property. The computer technician that works on our system tells us he is removing 1 or 2 viruses a week from local business computer systems. Most of these attacks have not been very sophisticated, but that is changing. He says the hacking programs are becoming more interwoven into the operating systems and more difficult to remove. He almost gave up on one of his recent systems before he finally figured out what the villains were doing. They are cloaking their viruses better so the user doesn’t know they are there and they are harder to detect even when you are looking for them. A hacker can insert a program and not trigger it for months or they can retrieve data and not use it for months. As a technology company, almost any client that you do work for has some kind of sensitive data. If they sell anything, they are going to be collecting names and credit card information. Thieves inserted malware in a supermarkets computer system and stole information including clients’ credit card numbers. If you perform work for the service industry, they also take personal information and credit card numbers for billing purposes. Anyone that services the medical industry would have to comply with HIPAA regulations in reporting those breaches and the costs associated in notification of anyone involved. Every business has client lists, vendor lists, business plans, and other proprietary information. Every technology company, consultant, programmer, integrator, defense contractor, software designer or anyone else involved in computer systems in any way needs to take the cyber risk seriously.

As a business owner or risk manager you constantly must assess external risks that may affect your operation or the fulfillment of your company objectives. One of those risks that has been in the news lately is the Federal Governments handling of the budget and national debt. I want to look at this risk not from a political angle, but strictly from a business risk or opportunity. In every risk, if you are prepared, there could be opportunity. I am sure some won’t see it as objective, so, cut me some slack and I will do my best. In your risk assessment, you look at the probability of an event occurring and then the potential consequences of that event. Then, if you have a comprehensive risk management plan, you will have the appropriate measures and controls in place to minimize the consequences and, MAYBE, be ready for an opportunity.

With this assessment, you need to use the qualitative method to analyze this risk, instead of the quantitative process, where you can assign a numerical value. What is the likelihood of this event happening from: rare, to unlikely, to possible, to likely, to almost certain. What are we measuring? The possibility of a budget or debt crisis affecting the county, the technology or defense industry, and ultimately your company. Then you measure the consequences of this risk on your company from insignificant, to minor, to moderate, to major, to catastrophic.

Here are some of the so called facts that I have read about or heard on the TV or radio:

1. Our national debt is about $14.3 trillion and climbing.
2. The debt is increasing by $1.5 trillion per year and the new budget deal isn’t doing much of anything to trim this for the next couple of years.
3. The government base line budget increases by about 7.5% annually. THAT IS RIGHT! THE BUDGET AUTOMATICALLY INCREASES ANNUALLY. This means the budget will double in about 9-10 years.
4. Any cuts that are claimed are from a larger budget. There are no real cuts from the current spending levels.
5. The new 10 year budget projects a GDP growth of about 3.5%, while our current growth is between 1% and 2%.
6. The new budget deal anticipates the expiration of the Bush Tax Cuts. If they don’t expire their will be a $5 trillion plus shortfall.
7. On the flip side, if they expire, I guess this means that $5 Trillion will be taken out of the private sector over the next 10 years.
8. The last full year statistics show 4.4% less people insured under workers compensation programs. That translates to over 8 million people. Can we put these people back to work and help grow our way out of this budget crisis?
9. The government is running out of ways to stimulate the economy and politicians are reluctant to spend more money, on the same programs that haven’t worked, to stimulate the economy, although these programs may have kept the economy from being worse.
10. Net Apps stated in a recent earnings release that the prolonged debt ceiling and budget debate significantly cut their business and reduced their outlook. Several of our government contractors have also said that jobs they were bidding on had funding cut or the project was put on hold.
11. If the next budget compromise isn’t reached by November and passed by December, the defense spending gets slashed along with Medicare. What effect will this have on the technology sector? They will probably still try to invest in technology and applications that increase efficiency but many programs will be cut. It appears that the two political parties have such a difference of opinions that a long term solution is very difficult. Does this mean that we face the same battle year after year and the country grinds to a halt with indecision?
12. Some people are talking about another recession while others are talking about inflation picking up or even stagflation.
13. From numbers that I have seen, raising taxes won’t help much. There are around 4 million tax payers with an adjusted annual income over $200,000. If you doubled their taxes (and they didn’t move to Costa Rica or some place), the government would raise around $500 billion or about 1/3 of the budget deficit.
14. Corporate taxes only bring in around $200 billion with a tax rate that is already one of the highest in the developed world. Increasing their rate won’t help much and the president and congress are discussing lowering this rate to be more competitive with the world.
15. Finally, nobody is talking about the increased Social Security and Medicare payments from a retiring baby boomer generation.

As you plan ahead for 3 to 5 years, how do you see the technology business climate?

Or is it a generalist website that wants to be all things to all business?
We specialize in this industry and all of our efforts go into adding expertise for our clients.

2. What was the last article you read regarding risk management issues of tech companies?

We study issues that affect the technology business on a daily basis.

3. Have you ever written a risk management article specifically directed to technology firms?

We write content for our website and other social media platforms weekly.

4. Are you a member of any technology associations or groups that work exclusively on developing best practices for technology companies?

We are the Ohio & Kentucky representative of TechAssure. TechAssure is the only technology focused risk management group in the United States. We have 10 years of developing detailed material like our 300 page book on issues important to federal government contractors.

5. What was the last technology class you took to meet your continuing education?

We have at least 45 hours annually of technology specific continuing education through TechAssure that include presentations from insurance company claim departments, market updates from technology underwriters, trial lawyers ( both defense and plaintiff ), expert witnesses used in cyber or errors & omissions cases, & other industry professionals.

6. When was the last time you read a technology Errors & Omissions or Professional liability policy (or our policy) from beginning to end?

We try to read at least a policy from one of our 18 markets on a weekly basis.

7. What companies do you contact to provide Errors & Omissions coverage for our company?

Most brokers only approach 2 or 3 companies, usually Chubb, Travelers, and Hartford. We have access to 18 markets and some are almost exclusive to Techassure members.

8. If I have a problem that you can’t answer, who do you turn to?

Most brokers will say someone else in my firm or the company underwriter. His underwriter only knows that companies position. We can contact our partners in TechAssure, the only worldwide group of technology specialists that work with your issues daily.

9. What Technology Associations do you personally belong to?

WE are members on Dayton Defense, AFCEA, Technology First, BioOhio, Tech Columbus

10. Of the last 4 or 5 accounts you have acquired, what industries are they in?

If they were something other than technology, how did that help you? With every technology company we add, we add value for you because we gain additional knowledge of the industry.

IF YOUR CURRENT RISK MANAGER CAN’T ANSWER THESE, THEN DO YOU STILL WANT THEM PROTECTING THE FUTURE OF YOUR COMPANY OR SHOULD YOU TALK TO THE SPECIALISTS AT

SANDERSON RISK ADVISORS

We define risk management as helping our clients avoid any deviation from their strategic plan.

Keep checking back as we discuss various challenges facing technology companies. We will try to keep each post relatively short and general in nature but if you have a particular subject that you would like to discuss more in detail, please let us know. We love what we do. Check out our websites and see why we are unique in the industry.

Richard Sanderson