Abby Ferri Joins Hays Companies As Vice President

Abbi Ferri headshotHays Companies announced Abby Ferri has joined its Minneapolis operations as Vice President. She will be responsible for helping build the national construction practice through her experience and expertise in safety and risk management.

“We are excited to have Abby join our growing construction division at Hays,” said Tim Boberg, President of Property and Casualty-Minneapolis. “She brings valuable risk control experience, entrepreneurship and leadership to her new role.”

Ferri has more than 15 years of experience in construction risk management. In 2012, she founded The Ferri Group, LLC where she provided risk control, program development, training and regulatory compliance for her clients.

Abby is an adjunct professor in the Construction Management Program at Dunwoody College of Technology. She is also President-elect of the Northwest Chapter of American Society of Safety Professionals (ASSP) and Administrator of the Women in Safety Excellence common interest group of the ASSP.

“I feel that my experiences have led me directly to my new position at Hays. I love working with construction companies and general contractors, and I aim to ensure the industry thinks of Hays first for their risk management needs,” said Ferri.

Ferri can be contacted via phone at 612-486-4796 or email at aferri@hayscompanies.com.

ABOUT HAYS COMPANIES

Hays Companies is one of the fastest growing risk management, insurance and employee benefits advisors in the country. Our philosophy of delivering the highest-quality, customer-focused service has led to significant growth for 20 years. Today, the company includes 700+ experienced professionals in more than 30 locations throughout the United States. For more information, contact Andrea Field (afield@hayscompanies.com) or visit our website at hayscompanies.com.

Upcoming MN Workers’ Compensation Indemnity Benefit Increase Effective 10/1/2018

A new bill hailed as the most comprehensive workers’ compensation legislation in the last twenty years was recently signed into law in Minnesota. Following both houses’ unanimous approval, Governor Mark Dayton also gave the bill his signature on May 20th.

The bill, H.F. 3878, included recommendations from the Workers’ Compensation Advisory Council, a group comprised of appointed representative as well as the presidents of the largest statewide Minnesota business organization and the largest organized labor association. Supporters of the bill believe it will help improve the system’s administrative process, and directly benefit employers, health care providers and injured workers.

At a high level, the following changes will be enacted as a result of the bill’s passage:

  • The maximum number of weeks of TPD benefits eligibility has increased from 225 weeks to 275 weeks
  • The PPD benefits schedule has been increased
  • PTD benefits eligibility has increased from age 67 to age 72

These changes will go into effect for injuries on or after October 1st, 2018. If you have question about how the new legislation will impact your business, please contact your local Hays representative or email us at info@hayscompanies.com.

To view the complete language for 2018 Minnesota Sessions Laws Chapter 185—H.F.No.3873, please click here.

Hays Headquarters Named Largest Insurance Brokerage in Minneapolis

Hays Companies is pleased to announce that our Minneapolis office, which is also the location of our corporate Headquarters, was named the largest insurance brokerage in the Minneapolis/St. Paul metro area (also known as the Twin Cities) by the Minneapolis/St. Paul Business Journal.

The publication, which is amongst the most prestigious business news outlets in the state of Minnesota, surveyed offices located within the 24-county metro area. For businesses that are headquartered in the Twin Cities, such as ours, results were based on companywide revenue for all operations as well as the number of employees.

We’re especially honored by this recognition as it not only reflective of our growth as an organization, but also the continued support of the community in which we were founded.

To view the complete list, please click here.

Minnesota Business Magazine Feature: Cybersecurity Insurance 101

By: Brian Martucci

Target. Home Depot. Yahoo. Equifax.

What do they have in common? You guessed it — they’ve all experienced major data breaches that exposed tens of millions of users’ sensitive personal and/or financial data. Yahoo was actually victimized twice, each attack compromising hundreds of millions of users. (Oh, Yahoo.)

Your company is vulnerable
Big-company cyber incidents are understandably newsworthy, but they’re really just the tip of the iceberg. Most incidents go unreported in the media, even in wonky tech blogs, because they directly impact fewer people or fail to compromise critical systems.

A 2016 FBI report put the average daily number of U.S. ransomware attacks at 4,000, a 300% increase from2015.

That figure doesn’t count other types of cyber-attacks, such as phishing. Check your spam folder when you get a chance — it’s a virtual certainty that some of those sketchy emails contain malicious files or links.

Insurance can help

“Cybersecurity insurance is a misnomer,” says Dave Wasson, Vice President and Cyber Liability Practice Leader at Hays Companies in Minneapolis. “‘Privacy and security insurance’ is more accurate. Lots of claims have nothing to do with hacking — someone forgot to shred a sensitive document, maybe.”

For brevity, we’ll call it cybersecurity insurance. It exists because general commercial liability policies typically exclude digital and analog privacy and IP threats.

Cybersecurity insurance policies provide financial redress for a broad range of potential threats: the U.S. Department of Homeland Security cites “costs a from data destruction and/or theft, extortion demands, hacking, denial of service attacks, crisis management activity related to data breaches, and legal claims for defamation, fraud, and privacy violations.”

How to approach cybersecurity insurance
Many owners and execs have only a tenuous handle on their companies’ digital and analog vulnerabilities.

“A significant portion of what we do is educational,” says Wasson. “With new clients, the key question is: ‘Is your understanding of your exposure correct?’”

Some companies mistakenly believe they’re taking adequate measures to address perceived vulnerabilities, which they may or may not fully understand. Others affirmatively avoid due diligence on the not-incorrect assumption that actively researching the threat landscape eliminates plausible deniability and increases liability.

At least one large, well-known Minnesota company takes this “head in the sand approach,” says Wasson. (He declined to identify the firm.) Wasson is not a fan: “That’s like saying you’re healthy because you haven’t gone to the doctor,” he says. Self-insuring against privacy and security threats is doable for larger companies with the resources to absorb the cost of a cyber incident, but “understanding potential threats is always better than not understanding.”

What it costs, what it covers
Needless to say, most sizable companies do carry cybersecurity insurance policies. Coverage is increasingly common among SMBs too. When resources are tight, any significant cybersecurity incident is a grave threat.

“For small businesses, you can find good quality policies, not pared down at all, for less than $1,000 per year,” says Wasson. The lower end of the market, below $50,000 per year, is growing fast. (The costliest policies, built for Fortune 1000 firms, cost more than $1 million per year.)

Like other forms of insurance, cybersecurity insurance products are highly customizable, but most policies have seven basic coverages. The devil is usually in the details. Wasson advises clients to pay close attention to three key issues:

“Failure to maintain” clause: This exclusion penalizes policyholders who fail to execute or maintain stated security practices. “It basically says, ‘If you say you have a particular safeguard in place and you don’t, we’ll deny your claim,’” says Wasson. He strongly advises against buying policies with “failure to maintain” clauses.

IP protection: Cybersecurity insurance newbies are often disappointed by policies’ anemic or nonexistent intellectual property coverages. Some policies do cover NDA-protected IP compromised in a breach. Premiums may be higher, though.

Bringing in outside experts: Does the policy let you bring in your own legal and forensic IT experts after a breach? Some force policyholders to choose from approved professionals; using non-approved experts could compromise or even void your claim. “It’s like the requirement that you select a provider in your health insurer’s network,” says Michael Cohen, head of the Global Privacy, Cybersecurity and Data Protection legal team at Minneapolis-based Gray Plant Mooty.

Data breach? Minimize exposure and get the response right
Cybersecurity insurance alone can’t prevent privacy and security incidents. Insurers require, incentivize and recommend that policyholders take steps to mitigate their exposure.

Established regulatory structures are non-negotiable. For instance, policyholders must abide by the Payment Card Industry Data Security Standard (PCI DSS), an electronic payments security framework backed by major credit card issuers. Healthcare and finance companies must follow other frameworks.

Insurers incentivize the adoption of other safeguards, like robust encryption. “Encryption is one of the few things that has an actual causal impact on policy pricing,” says Wasson.

“The better your encryption, the less you’ll pay.”
Be honest about your data security practices and degree of exposure: On your cybersecurity insurance application, honestly disclose your exposure and mitigation practices. Even absent a “failure to maintain” clause, a misleading or incomplete application could lead to inadequate coverage. Plus, says Cohen, “Being recognized as a leader in data security benefits your organization in the marketplace.”

Don’t needlessly retain data: “Most companies don’t need to collect Social Security numbers,” says Wasson, “and they certainly don’t need to keep them in unencrypted files on mobile devices.” Only collect and retain data needed for essential business functions.

Take special care with legacy systems:
Many companies run key processes on functionally obsolete, unsupported IT systems. This is sub-optimal for all sorts of reasons, but overhauling is costly and disruptive, so it happens. Unfortunately, breaches can wreak havoc on legacy systems, which typically need to be overhauled after the fact anyway. When I spoke to Wasson, he was helping a client through a catastrophic ransomware attack made worse by the forensic impenetrability of its ancient IT. With no backup, the client had to shut down for a month to upgrade its systems and get out from under the attack. (Also relevant: Back everything up!)

Know your obligations under the law:
Legally mandated notification requirements may greatly increase post-breach costs. Firms must abide by notification rules in affected individuals’ home jurisdictions. Said rules vary widely, so firms typically adhere to standards in the strictest state in which they operate. Still, you need an attorney to work through dense regulatory language. To handle high notification volumes, you’ll need to retain a specialized firm.

Create an incident response team:
Don’t wait until it’s too late to build an incident response team. The point person (“breach coach”) should be an attorney experienced in handling data breach matters, whether in-house counsel or an outside expert like Cohen. Add at least one member from HR, IT (inside or outside), marketing or PR (inside or outside), finance, and upper management. Define each member’s role in the event of an incident. Mind insurance company restrictions — remember Cohen’s attorney networks.

Have an incident response plan ready:
Different scenarios call for different responses, but your first call should always be to your designated attorney. They’ll quickly assess the situation’s severity and determine what needs to happen next. If the situation warrants, “next” means a call to the FBI, which has a first-rate cyber forensics team. “The FBI is very discreet,” says Cohen. “Your business won’t leak just because they’re involved.” They may also know about other incidents that hold clues to your own.

You should do these six things “even if you choose to forgo cybersecurity insurance,” says Cohen. After all, fortune favors the prepared. And the careful.

WHAT CYBERSECURITY INSURANCE COVERS:
Security and Privacy Liability: Provides financial protection against third-party claims alleging “failure to protect sensitive information or maintain adequate network security.” May also cover “breach of the insured’s own privacy policy” and “breach of confidential corporate information” covered by confidentiality or non-disclosure agreements.

Privacy Regulatory Defense and Penalties: Covers regulator-assessed penalties and fees, where allowed by law, as well as costs associated with “complying with or defending against a privacy related regulatory investigation” by certain state and federal agencies or authorities.

Breach Costs: Covers costs directly associated with breach response, including notification to potentially affected parties, computer forensics, legal expenses, public relations campaigns,
and ongoing identity theft protection and monitoring.

Multimedia Liability: Covers “claims alleging intellectual property infringement [copyright infringement, defamation and libel, common law privacy rights, plagiarism or piracy, misappropriation of ideas] arising out of the advertising of a company’s goods or services, either online or offline.”

Business Interruption: Covers loss of income if the insured party is unable to conduct business “due to a malicious third party hacking event.”

Data Recovery: Covers costs associated with digital asset replacement, such as software licenses and proprietary software. May be combined with business interruption coverage.

Cyber Extortion: Covers costs associated with ransomware attacks, including investigations to determine whether the threat is credible and the cost of complying with the attackers’ demands (e.g., paying the ransom).

Interested in learning more about Cyber Risk? Check out our recent FOCUS publication on Ransomware.

N.B. Precise nomenclature varies by issuer.

Source: “Cyber Liability Insuring Agreement Overview,” Hays Companies.

This article originally appeared in Minnesota Business Magazine. To view the original article, please click here