Risk Management Bulletin

These days, cyberattacks against businesses are a daily occurrence. This crime poses a significant threat to firms that have a “bring your own device” (BYOD) policy, allowing employees to use their personal mobile devices – such as tablets, smartphones, and laptops – for company business.

This eliminates the cost of providing these devices to employees who are away from the office, raises productivity by streamlining the flow of information, and allows real-time employee response to client needs. On the other hand, a BYOD policy creates serious information security risks.

Companies have significantly less control over employees’ devices than over in-office technology – which makes it easier to hack them. More and more workers are storing data from their devices in ‘the cloud” (one study found that among the 89% of young employees who use personal cloud storage, 70% are storing work-related files, while 33% store customer data there). What’s more, according to the FCC, roughly one in three robberies involve mobile phones, and criminals often target laptops and tablets.

The result: it can be easy for hackers and thieves to target corporate data and confidential client information on your employees’ devices, leaving you open to expensive litigation and negative publicity.

To reduce this exposure, risk management experts recommend that your IT department educate employees on the vulnerabilities of their devices and provide the resources to protect them by: 1) adding auto-locks on all devices that can disable them if stolen; 2) making sure device are stored in a safe place at all times; and 3) recommending passwords that combine letters, numbers and symbols.

We strongly encourage you to purchase cyber liability insurance as a safety net that can help you prevent hacking and minimize its financial and reputational costs to your company.

To learn more, feel free to get in touch with our risk management specialists at any time.

Although fire extinguishers are great for putting out small fires – or preventing them from turning into big ones – make sure that yours are ready should the time come. Consider these tips from OSHA:

Be certain the extinguishers are the type required by your fire exposure. The extinguisher to use depends on the type of fire:

• Class A fires involve materials such as wood, paper, or cloth which produce glowing embers or char
• Class B fires involve flammable gases, liquids, and greases, including gasoline and most hydrocarbon liquids, which must be vaporized for combustion to occur
• Class C fires involve fires in live electrical equipment or in materials near electrically powered equipment
• Class D fires involve combustible metals, such as magnesium, zirconium, potassium, and sodium.

Put extinguishers in proper and easily identifiable locations. Locate them along normal paths of entry and exit and make sure that they’re clearly visible. Where you can’t avoid visual obstruction completely, provide directional arrows to indicate the location of extinguishers and signs marked with the extinguisher classification. If devices intended for different classes of fire are located together, mark them conspicuously to ensure that employees choose the proper extinguisher in case of fire.

Keep portable extinguishers fully charged and operable. They should be kept in their designated locations at all times when not being used. When extinguishers are removed for maintenance or testing, provide a fully charged and operable replacement unit.

These tools are valuable only if they’re available and functioning when needed. For more recommendations on keeping your workplace as safe as possible, talk with our risk management professionals. We’re here to help!

Some businesses pay to put their obsolete equipment in mothballs. Others use it to generate income either by sale or as a tax-deductible donation to charity.  If you choose this option, beware: you could be exposing yourself to a nasty liability claim by the new owner.

Before you decide to sell or donate used equipment ask yourself: 1) was it too old to operate, not operating properly, or were replacement parts unavailable? and 2) has the original manufacturer or seller gone out of business, leaving you liable as the seller or donor?

To help reduce your product liability for outdated equipment that’s sold or donated, follow these guidelines:

• Make it clear in in a sales agreement that the equipment is being sold or donated “as is,” with no inspections, testing, reconditioning, or repairs.
• Recommend that the buyer or recipient have the equipment inspected and tested before using it and repaired or upgraded to make sure that it’s safe to operate it.
• Identify any safety hazards or deficiencies, and either repair them or recommend that the buyer or recipient do so; if this isn’t possible, scrap the equipment.
• Include a clause stating that the buyer or recipient holds you as the seller or donor harmless for all liability, legal fees, expenses, etc., arising from use of the equipment.
• Get legal advice to be sure that you’ve taken all appropriate measures to reduce the risk.

For more information, please get in touch with our agency.

Failing to investigate the activities of an employee whose company computer contains pornography could leave your business wide open to a lawsuit.

A  New Jersey case, Jane Doe v. XYC Corp., involved an employer who learned that a worker was using his company computer to visit pornographic web sites and share images with fellow employees. After he was convicted of videotaping his 10-year-old stepdaughter nude and partially clad, the victim’s mother sued the company, arguing that its failure to investigate and report that the employee was viewing, downloading, and distributing child porn on his work computer led to the girl’s victimization. The court held that because viewing child pornography is a federal and state crime, the employer’s knowledge of this activity should have led it to look into this misconduct.

Viewing online porn in the workplace is all too common. Consider that: 1) Approximately 70% of web traffic to pornographic sites occurs from 9 a.m. to 5 p.m.); 2) Billions of pornographic e-mails go out every day; and 3) More than 75% of workers say that they have visited a pornographic web site “accidentally” at least once, while 15 % have made 10 or more visits.

A number of states require businesses to report child pornography on workplace computers to law enforcement or risk facing criminal charges. To remove your employees’ expectations of privacy in using computers, let them know the company is free to inspect or monitor this equipment, and have them agree in writing that they understand this policy.

What’s more, other courts might well rule that the Doe decision applies to other illegal activities by employees who use company computers to cause physical, financial, or other harm to third parties.

A word to the wise.

If you suffered a catastrophic loss today, your business interruption insurance will reimburse you for what you the revenues would have earned without the event, minus what you did earn, up to the amount of the policy. However, if you set this amount too high, you could wind up “over-insured” – and paying a higher premium than you need to.

To make sure that you’re in the “Goldilocks Zone” (with neither too much nor too little coverage) when it comes time to renew your business interruption insurance, estimate the revenue stream you’ll need to protect during the policy period by ask such question as:

1.      Has the market for your products or services changed significantly since you last bought coverage?

2.      What do you see as the impact of expected economic or market conditions on your projected revenues – for example, by raising or lowering prices to meet competition.

3.      If you have any new products or services for which there is little or no sales history, check how similar products or services from your competitors are performing.  Be sure to include any unique advantages that you, or they, might have (for example, technological innovation).

4.      Do you have any contracts or advance orders to support a revenue forecast that differs significantly from industry trends?

5.      Have you made recent changes to operations or facilities – such as a new plant, restructured management or marketing campaign – and you expect to increase sales?

The risk management professionals at our agency stand ready to help you answer these questions so that you can protect your projected revenue stream with a comprehensive business interruption policy tailored to your needs.  Just give us a call at any time.

Although though most machines come equipped with guards, and, despite advances in technology, workplace injuries from the misuse of machinery remain all too common – that’s why OSHA emphasizes and cites employers for machine-guarding violations.

The best way to approach machine safety is to conduct regular inspections. Put yourself in the shoes of the OSHA inspector and take a walk-through of your facility. Check each machine for exposed moving parts, including meshing gears, in-running rollers, reciprocating parts, chain and sprocket drives, cams and rollers, belts and pulleys, rotating couplings, shafts, flywheels, cutting or abrasive surfaces, cooling fans, and conveyors. Examine the guards on the machines, such as barriers, electronic-eye shutdown devices, beam scanners, interlocks, and enclosures. If any of the guards are broken or missing, tag the machine and get it fixed.

Even the best-designed and maintained guards are useless if workers try to bypass them. Training sessions should stress that removing guards or disengaging interlocking devices to make work easier or faster is too risky.

The most hazardous situations involve operators adjusting a machine or removing jammed work or broken parts. Make sure that operators know the specific steps for powering down and locking out a machine before they service or adjust it.

Have a written dress code for working around machinery. Don’t let workers wear long, loose sleeves, hanging drawstrings or tassels, ties, scarves, and open jackets. The same applies to long hair, jewelry, and gloves. Make sure that operators wear proper personal protective equipment, such as safety glasses and face shields or goggles if they’re handling hot or hazardous liquids and safety shoes if they’re placing heavy materials in and out of a machine.

To learn more about you can keep your workplace free of risk, feel free to contact us.

If disaster strikes your business, how you respond, and how the public perceives this response, can have a significant and lasting impact. A poorly handled reaction will damage your reputation, lead to lost customers and sales, and even trigger litigation – while an effective response can help mitigate those threats. Planning makes all the difference.

Two trends make catastrophe planning more crucial and complex than ever: the growth of foreign investment and the explosion of social media. More U.S. companies now have operations abroad or are considering investing overseas.  When a catastrophe occurs, the global reach of the Internet and social media means that news and images can spread around the world in seconds. An ineffective response will bring a drumbeat of negative media stories until the issue finally fades from public view. By that time, the damage might be irreparable.

On the other hand, a response that engages the public and highlights your efforts to resolve the situation can turn a negative story into a positive one. For example, when a group of miners was trapped in a Chilean mine, video footage from inside the mine showed that the men were safe and helped to focus attention on the highly innovative, and ultimately successful, plan to rescue them.

Although you can’t predict when or where a catastrophe will strike, you can prepare ahead of time. Then, when disaster strikes, you’ll be ready to deploy a robust catastrophe and reputation management plan for handling the incident and dealing with media coverage. Effective pre-planning should include these steps:

1.      monitor trends while thinking outside  the box;

2.      implement internal and external response procedures, and;

3.      practice these responses.

For more information, please get in touch with us.

No matter the size of your business, you can benefit from using the basic techniques that major corporations employee to control their risks. Consider these examples:

1. Plan and plan again. Develop a comprehensive business continuity plan based on a thorough knowledge of your operations. As part of this process, establish procedures to drive decision-making in an emergency and help ensure that information gets to the right people. Test the plan at regular intervals. “It’s a terrific training mechanism,” advises Jim Hedrick, Area Vice President of Business Continuity Planning at Arthur J. Gallagher & Co, (Cincinnati) “and also helps identify who shouldn’t be in your plan. Sometimes you have people in these events who just melt down because they can’t handle the stress.”
2. Review supply chain risks. In an effort to cut costs, more and more companies have reduced the number of suppliers, changing their risk profile in the process.
3. Define your “risk appetite.” Identify the risks your business faces and decide which ones you’re willing to assume and those that you prefer to ensure. You can use this process to benchmark yourself against the risk management practices of your competitors.
4. Encourage return-to-work efforts. These programs can produce significant savings in workers compensation costs, allowing injured workers to participate in modified work assignments while they recover.
5. Work with professional risk management organizations, such as the Risk and Insurance Management Society (RIMS). These groups can provide valuable continuing education and networking activities.

As risk management professionals, we can provide you with a comprehensive review of your program and recommend revisions – free of charge, of course. We’re always here to help.

You set the security alarm every night on your way home. You double-check the window locks and turn the deadbolt on the back door. You place your cash and valuables in the safe. Before turning out the lights, you start the backup routine on your computer. Congratulations! All of these steps help minimize your chance of loss and make you a more effective risk manager. But how do you know that these devices are working properly?

For example, although you’re performing regular backups to your computer, do you double-check to be certain the data is actually there? One systems administrator ran her backup routine every night, only to discover at the time of a systems crash that all backup files for the past six months were blank, due to a hardware malfunction.

Have you tested your security alarm lately to make sure that it actually alerts the police or fire department? Are you sure that your safe locks completely when the door is closed? If your employees sometimes close up at night, do they have a checklist that covers every step in the process?

Making your protection devices work as hard as you do is just one of our services. Although many agencies can sell you insurance, we do far more than this. We can help minimize your losses by implementing a comprehensive and effective risk management program that supplements your insurance by providing a “safety net “to catch you.

Our philosophy is clear: The best claim is the one that never happens. If you agree, just give us a call.

Top managers are more likely than rank-and-file workers to put their companies at risk for data breaches and theft of intellectual property, according to a recent nationwide study.

“On the Pulse: Information Security Risk in American Business” a survey of more than 750 information workers by digital security risk management firm Stroz Freidberg found that nearly nine in ten senior managers (87%) have sent work materials to personal e-mail or cloud accounts, making this information vulnerable to outsiders. What’s more, nearly three in five (58%) managers surveyed (58%) accidently sent sensitive material to the wrong person – compared to 25% of workers overall.

This risky behavior didn’t change when managers moved on. More than half of top management and more than one in three mid-level managers (37%) admitted to taking job-related emails, files, or confidential information with them after they left their employer. About one in five lower-ranking employees (20%) did so.

“Insiders are by far the biggest risk to the security of a company’s sensitive information, whether it’s a careless executive or a disgruntled employee,” say Stroz Friedberg CEO Michael Patsalos-Fox. More than half of senior managers (52%) in the survey stated that they had failed to meet their responsibility for protecting their companies against cyber risk.

Bring-your-own-device (BYOD) workplaces also open the doors to hackers, malware and viruses. Although improved internal communication and training can help mitigate this risk, only one in three workers (35%) at BYOD companies say that their employers trained them on mobile device security.

We’d be happy to recommend guidelines for a comprehensive review of potential chinks in your cybersecurity armor. Feel free to get in touch with us at any time.