The RISQ RECAP:
October 24th – October 28th, 2022
Each week, you’ll find specially curated news articles to keep you up to date on the ever-evolving world of insurance and risk management. The articles are divided out between items relevant to Property & Casualty, Employee Benefits/Human Resources, and Compliance. We’ve included brief summaries of each item as well as a link to the original articles.
PROPERTY & CASUALTY
Bad Driving, Inflation Among Factors Pushing Increase in Auto Loss Ratios
“US auto insurers are coping with the largest direct loss ratio in 20 years because of factors that include historic inflation, a deterioration in driving behavior and sky-high jury awards, the American Property and Casualty Insurance Association says in a new report. APCIA said the direct loss ratio for auto physical damage reached 77.1% in the third quarter of 2021 — after reaching an historic low of 45.2% during COVID-19 business shutdowns in the second quarter of 2020.” Full Article
– Insurance Journal
EMPLOYEE BENEFITS, HUMAN RESOURCES, & COMPLIANCE
Managing Expectations When Administering COBRA Open Enrollment Periods “Qualified beneficiaries may modify their COBRA coverage during COBRA-defined open enrollment periods. Also, qualified beneficiaries have the same rights to change their coverage during open enrollment periods as active employees. They are not limited to the rights they might have had as spouses or children of active employees.” Full Article – Proskauer, via HR Daily Advisor
States Struggle to Ensure Equal Access to Behavioral Health Benefits Amid Mental Health Crisis “Effective review and oversight of MHPAEA enforcement in the states are time- and resource -intensive processes which pose significant challenges to regulators. Providers and patients are often unaware of insurers’ obligations to provide equal access to mental health services under the federal parity law, removing a tool that states rely on to flag potential violations. Funding from federal grants has been critical in state enforcement efforts.” Full Article – Robert Wood Johnson Foundation
Taxation of Tuition Assistance Plans “Since tuition assistance can be an expensive benefit for employers some … will require employees to repay the benefit if they leave employment within a designated period of time after receiving the benefit…. What are the tax consequences to employees who receive a taxable tuition assistance amount from their employers subject to a repayment requirement, but who then leave employment and are required to repay all or a portion of the amount received?” Full Article – Boutwell Fay LLP
Cafeteria Plan COLA May Require Employer Action “If your plan does not make an automatic change to increase the health FSA adjustment for future plan years, your plan document will need to be amended to permit your employees to put the additional $200 in their health FSAs for 2023. And even if your Plan is automatically increased for cost-of living adjustments, you will need to amend any references to this limit in other documents, such as your SPDs or election forms.” Full Article – Graydon
Upcoming Deadline Under the No Surprises Act: Air Ambulance Reporting by Group Health Plans and Insurance Issuers “Though we are waiting for the final rule and for the Departments to establish a method for submitting the reports, plans and issuers should start ensuring that their systems and vendors are able to gather and collect the data identified by the Proposed Rule. Practically speaking, the heavy lifting associated with the reporting requirements is likely to fall on issuers and TPAs.” Full Article – Foley & Lardner LLP
The IRS Releases Final Rule Addressing the “Family Glitch” “The affordability standard for an employee’s PTC eligibility remains based on the cost of self-only coverage, so this regulatory change will not increase the number of employees who will newly become eligible for PTC-subsidized coverage on the Exchange. The 2022 Regulations do not affect the employer mandate penalty, because they do not change the affordability rules for employees themselves, and the employer mandate is only triggered when an employee, not a family member, receives a PTC.” Full Article – Groom Law Group
STATE & INTERNATIONAL COMPLIANCE
In addition to the RISQ Review, RISQ Consulting also provides a resource that features changes and updates to State and International Compliance measures. We’ve included brief summaries of each item below, and also provided links to the original articles if you’d like to read further.
CALIFORNIA
California Prohibits Retaliation Against Employees for Refusal to Report to Work During Emergency Conditions
“On September 29,2022, California’s Governor Gavin Newsom signed Senate Bill (SB) 1044, which prohibits an employer in the event of an emergency condition from taking or threatening adverse action against any employee for refusing to report to or leave a workplace or worksite within the affected areas because the employee has a reasonable belief that the workplace or worksite is unsafe.” Full Article
– Jackson Lewis PC
WASHINGTON
Washington State Employers to Face Significant Minimum Wage and Salary Threshold Increases
“Starting January 1, 2023, the Washington state minimum wage will be $15.74 per hour. This is a $1.25 increase from the current 2022 minimum wage of $14.49 per hour. Because the salary threshold for exempt employees in Washington is tied to a multiple of the minimum wage, the exempt salary threshold for all employers with Washington-based employees will also increase.” Full Article
– Davis Wright Tremaine LLP
COLORADO
Colorado Gears Up for Sweeping New Paid Family and Medical Leave Insurance Program
“Colorado employers may want to begin preparing for the implementation of Colorado’s new state-run Paid Family and Medical Leave Insurance (FAMLI) program.” Full Article
– Ogletree Deakins LLP
NEW JERSEY
Attention New Jersey Employers: NJ Cannabis Regulatory Commission Issues Interim Guidance on Workplace Impairment
“On Sept. 9, 2022, the NJ Cannabis Regulatory Commission (NJ-CRC) issued interim guidance on detecting “workplace impairment” following the passage of the New Jersey Cannabis Regulatory, Enforcement Assistance, and Marketplace Modernization Act (CREAMMA) almost two years ago.” Full Article
– Greenburg Traurig LLP
TEXAS
Texas District Court Holds EEOC Guidance on Sexual Orientation and Gender Identity Discrimination Unlawful
“On October 1, 2022, the United States District Court for the Northern District of Texas held that Equal Employment Opportunity Commission (“EEOC”) guidance addressing sexual orientation and gender identity discrimination in the workplace is unlawful. The case is State of Texas v. EEOC.” Full Article
– Proskauer Rose LLP
- Published in Blog
Credential Stuffing
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
If and when you get hacked, it’s easy to think cyber criminals used some high-tech program or code to gain access to your accounts. The truth is, however, that data breaches aren’t always this sophisticated, and all malicious parties need is a little trial and error to steal your personally identifiable information. This tactic is known as credential stuffing, and it’s becoming a common tool for cyber criminals of all kinds.
Simply put, credential stuffing attacks are when a malicious party takes a stolen username and password and tries it on a variety of different websites. For example, a hacker may have purchased your Google username and password from the dark web.
Assuming that you use the same password for multiple accounts, the hacker would test these credentials on other platforms (e.g., banking or social media websites) using botnets (groups of computers tasked with various commands). Essentially, by using information from one account, criminals can potentially access data from a variety of platforms, draining bank accounts or gathering information they can sell to other malicious parties.
Credential stuffing can affect everyone, from individual users to the biggest companies. In fact, a Yahoo breach that impacted approximately 500 million users was largely carried out using credential stuffing.
Thankfully, because credential stuffing relies on victims having the same password for multiple accounts, there are some simple ways to protect yourself:
- Avoid using the same password for multiple accounts—Credential stuffing works because many users use the same password for multiple accounts. Be sure to change your passwords often and never use the same password across different accounts.
- Use two-factor authentication—While complex passwords can deter cyber criminals, they can still be cracked. To prevent cyber criminals from gaining access to your accounts, two-factor authentication is key. Through this method, users must confirm their identity by providing extra information (e.g., a phone number or unique security code) when attempting to access corporate or personal applications, networks and servers. This additional login hurdle means that would-be cyber criminals won’t easily unlock an account, even if they have the password in hand.
- Create strong password policies—For employers, ongoing password management can help prevent attackers from compromising your organization’s password-protected information. You’ll want to create a password policy that requires employees to change their password on a regular basis, avoid using the same password for multiple accounts and use special characters. Long passphrases are becoming increasingly popular as well, and may be a good option for your organization.
- Provide security training—Even the most robust and expensive data protection solutions can be compromised should an employee click a malicious link or download fraudulent software. As such, it’s critical for organizations to thoroughly train personnel on common cyber threats and how to respond. Your employees should also know your cyber security policies and know how to report suspicious activity.
For additional cyber risk management guidance and insurance solutions, contact us today.
- Published in Blog
Patch Management Explained
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
Patch management is the process of acquiring and applying software updates to a variety of endpoints, including mobile devices, computers, servers and embedded devices. Installing patches regularly is necessary to correct errors, help protect data and optimize system functions. This article provides information on how a consistent approach to patching and updating software can limit exposure to various exploits.
What Are Patches?
Patches modify operating systems and software to improve security, fix bugs and improve performance. They are created by software developers and address vulnerabilities attackers may target.
Why Is Patch Management Necessary?
Patch management is necessary for the following reasons:
- Security—Hackers look to exploit cybersecurity weaknesses. Installing patches fixes software vulnerabilities and therefore reduces an organization’s cybersecurity risks.
- Compliance—Regulatory bodies or government agencies may require organizations to adhere to patch management standards. Meetings those requirements can help businesses avoid sanctions, fines or penalties.
- Feature improvements—In addition to addressing security issues and fixing bugs, patches can also offer feature and functionality improvements to help software run smoothly.
- Minimize downtime—With the enhancements that patches provide, programs may run more efficiently. This can increase production by helping minimize downtime and improving the user experience.
How Is Patch Management Performed?
The patch management process can be carried out by a company’s IT team, an automated patch management tool or a combination of both. Steps in the patch management process include:
- Identifying IT assets (inventory) and their locations—Taking stock of IT assets and where they are located is a crucial first step in the patch management process. This is especially important as employees increasingly work remotely.
- Identifying critical systems and vulnerabilities—Being aware of critical systems and identifying and tracking vulnerabilities are also key aspects of patch management. It is important to take note of existing security features (e.g., firewalls and antivirus software) and what they are protecting against. With this information, an IT team can more readily determine which systems need to be patched when vulnerabilities are discovered or reported.
- Testing and applying patches—Before applying the patches to all systems, it is best to test them on a representative subset of IT inventory. This can help ensure the updates will not create unforeseen issues. Once testing is complete, begin rolling out the patches to the rest of the assets. It is advisable to do this in batches, as this can help identify potential issues before they become too widespread.
- Tracking progress and maintaining records—During the rollout, it is advisable to keep track of the progress being made. After the patches have been successfully installed, it is essential to keep accurate documentation that notes which assets have been updated.
Conclusion
Having a comprehensive patch management process not only increases a company’s cybersecurity posture and helps keep the business running smoothly, but it also is a practice frequently required by insurance underwriters in order to obtain cyber insurance. Contact us today for more information.
- Published in Blog
The RISQ RECAP:
October 17th – October 21st, 2022
Each week, you’ll find specially curated news articles to keep you up to date on the ever-evolving world of insurance and risk management. The articles are divided out between items relevant to Property & Casualty, Employee Benefits/Human Resources, and Compliance. We’ve included brief summaries of each item as well as a link to the original articles.
PROPERTY & CASUALTY
Bill Would Require Front-view Safety Cameras for New Vehicles
“For several years now, new vehicles have been required to have rear-view cameras – a safety feature designed to help prevent autos and trucks from backing over children. But most vehicles on the road today do not have similar camera systems to check for objects and humans in the front. And as trucks and SUVs have become taller — limiting drivers’ vision immediately in front of the vehicle — the problem has only grown worse, NBC news reported Monday.” Full Article
– Insurance Journal
EMPLOYEE BENEFITS, HUMAN RESOURCES, & COMPLIANCE
An Employer Must Not Retaliate Against an Employee for Others’ Activity “In several recent cases, the National Labor Relations Board reminds employers that illegal retaliation against a worker can occur even if they were not directly involved in the protected actions of others – whether co-workers or unions.” Full Article – Shawe Rosenthal LLP
Bipartisan Legislators Introduce Bill with Some Legal Protections for Gig Workers “A bipartisan group of legislators recently introduced H.R.8442 – Worker Flexibility and Choice Act, a bill allowing businesses to maintain gig workers as independent contractors. The bill also would provide some legal protections for those workers, despite their independent contractor status.” Full Article – Hall Benefits Law LLC
NLRB Rules Employers Cannot Unilaterally Cease Dues Checkoff After CBA Expiration “On October 3, 2022, in a 3-2 decision, the National Labor Relations Board (NLRB or Board) reversed its previous ruling from 2019 and held that a union dues checkoff provision should be treated as part of the status quo that the employer cannot unilaterally change following contract expiration.” Full Article – Ford Harrison LLP
Medical Marijuana and the Construction Job Site “The changing legal landscape relating to marijuana usage means that employers, especially those with safety sensitive positions or who are subject to federally mandated compliance requirements, need to review their current policies and approaches to positive drug tests reflecting marijuana usage to ensure they follow applicable federal, state, and local laws regarding marijuana in the workplace.” Full Article – Jackson Lewis PC
UPDATE: Employers Should Anticipate Significant Rise in Minimum Wage Rates Tied to Inflation “Employers in approximately a dozen states and twice as many cities and counties should expect significant hikes in minimum wage rates for 2023. Many of these hikes are due to state and local laws which account for inflation by automatically tying increases in the Consumer Price Index (CPI) to minimum wage rates. This year’s unusually high inflation and resultant CPI growth, however, threatens to raise hourly wages by nearly $1 or more in certain locales.” Full Article – By, Benesch Friedlander
DOL Proposes New Regulation Regarding Employees vs. Independent Contractors “Today the U.S. Department of Labor (DOL) published a new proposed rule defining employee versus independent contractor status under the Fair Labor Standards Act (FLSA). The proposed regulation would move the “economic realities” test closer to prior interpretations of the FSLA, replacing a regulation published in January 2021 at the end of the Trump administration. The new rule proposes to return to a multi-factor test that looks at the totality of the circumstances and does not weigh or elevate any factor above another.” Full Article – Davis Wright Tremaine LLP
STATE & INTERNATIONAL COMPLIANCE
In addition to the RISQ Review, RISQ Consulting also provides a resource that features changes and updates to State and International Compliance measures. We’ve included brief summaries of each item below, and also provided links to the original articles if you’d like to read further.
CALIFORNIA
California Prohibits Retaliation Against Employees for Refusal to Report to Work During Emergency Conditions
“On September 29,2022, California’s Governor Gavin Newsom signed Senate Bill (SB) 1044, which prohibits an employer in the event of an emergency condition from taking or threatening adverse action against any employee for refusing to report to or leave a workplace or worksite within the affected areas because the employee has a reasonable belief that the workplace or worksite is unsafe.” Full Article
– Jackson Lewis PC
WASHINGTON
Washington State Employers to Face Significant Minimum Wage and Salary Threshold Increases
“Starting January 1, 2023, the Washington state minimum wage will be $15.74 per hour. This is a $1.25 increase from the current 2022 minimum wage of $14.49 per hour. Because the salary threshold for exempt employees in Washington is tied to a multiple of the minimum wage, the exempt salary threshold for all employers with Washington-based employees will also increase.” Full Article
– Davis Wright Tremaine LLP
COLORADO
Colorado Gears Up for Sweeping New Paid Family and Medical Leave Insurance Program
“Colorado employers may want to begin preparing for the implementation of Colorado’s new state-run Paid Family and Medical Leave Insurance (FAMLI) program.” Full Article
– Ogletree Deakins LLP
NEW JERSEY
Attention New Jersey Employers: NJ Cannabis Regulatory Commission Issues Interim Guidance on Workplace Impairment
“On Sept. 9, 2022, the NJ Cannabis Regulatory Commission (NJ-CRC) issued interim guidance on detecting “workplace impairment” following the passage of the New Jersey Cannabis Regulatory, Enforcement Assistance, and Marketplace Modernization Act (CREAMMA) almost two years ago.” Full Article
– Greenburg Traurig LLP
TEXAS
Texas District Court Holds EEOC Guidance on Sexual Orientation and Gender Identity Discrimination Unlawful
“On October 1, 2022, the United States District Court for the Northern District of Texas held that Equal Employment Opportunity Commission (“EEOC”) guidance addressing sexual orientation and gender identity discrimination in the workplace is unlawful. The case is State of Texas v. EEOC.” Full Article
– Proskauer Rose LLP
- Published in Blog
Double Extortion Ransomware Attacks
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
In recent years, ransomware attacks have steadily been on the rise. These incidents—which entail cybercriminals compromising a device or server and demanding a large payment be made before restoring the technology (as well as any data stored on it) for the victim—are one of the most damaging cyberattack methods, incurring an average of $1 million in total losses per incident.
As these attacks become increasingly common, numerous ransomware techniques have also emerged. Specifically, double extortion ransomware attacks are now a potential cybersecurity concern for organizations across industry lines. This technique follows a similar protocol to that of a typical ransomware attack, but comes with an extra threat—the victim must pay a ransom not only to regain access to their technology and data, but also to keep that data from being uploaded publicly online.
Double extortion ransomware attacks are particularly concerning, seeing as these incidents can further pressure organizations to comply with ransom demands in order to keep their data private. Review the following guidance to learn more about how double extortion ransomware attacks work and what your organization can do to prevent such an attack.
How Double Extortion Ransomware Attacks Work
To outline the general framework of a double extortion ransomware attack, this technique starts out like most other ransomware incidents, in which a cybercriminal first gains access to their target’s device or server—often via phishing scams, nonsecure websites or malicious attachments. From there, the cybercriminal is able to compromise the victim’s technology and encrypt data stored on it. Then, the cybercriminal delivers their ransom demand and accompanying consequences for noncompliance.
Contrary to a typical ransomware incident, however, these consequences are twofold. That is, failing to pay the ransom could result in the cybercriminal both permanently restricting the victim’s access to their technology and sensitive data, as well as sharing this data publicly on the internet. Although double extortion ransomware attacks can occur at any organization, these incidents are most common within establishments that store a considerable amount of sensitive data. This includes health care facilities, financial institutions, government organizations and large retail businesses.
Double extortion ransomware attacks can be significantly more damaging for affected organizations than typical ransomware incidents. This is because even if organizations have protocols in place (e.g., storing data in multiple secure locations) that allow them to recover their compromised information without paying a ransom, they may still be pressured to do so in order to keep their data from going public. After all, a data breach can lead to further ramifications—including reputational damages, regulatory fines and class action lawsuits.
What’s more, cybercriminals who conduct double extortion ransomware attacks are known to demand higher ransom payments, sell or trade stolen data to other attackers for future extortion attempts and still move forward with sharing data publicly even after the ransom is paid (whether on purpose or by accident)—making these attacks all the more damaging.
Preventing Double Extortion Ransomware Attacks
When it comes to combatting double extortion ransomware attacks, it’s important to prioritize standard ransomware prevention measures. This includes conducting routine employee training on how to detect potential ransomware risks (e.g., suspicious emails or attachments), implementing policies that prohibit browsing nonsecure websites on organizational servers or devices, and installing adequate security features on all workplace technology (e.g., a virtual private network, antivirus programs, data encryption software, email spam filters, an internet firewall and a patch management system).
In addition to these key prevention measures, the best course of action for reducing double extortion ransomware attack risks is to establish an effective cyber incident response plan for your organization. This plan should explicitly address double extortion ransomware attack scenarios and outline steps that employees should take to limit the damages during such an event.
Lastly, it’s vital to secure appropriate insurance coverage for ultimate peace of mind in the event of a ransomware attack. A dedicated cyber insurance policy can offer much-needed support and resources when an attack occurs, minimizing the potential damages and financial impact on your organization.
For additional risk management guidance and insurance solutions, contact us today.
- Published in Blog
Creating a Cybersecurity Culture
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
Employees are an organization’s first line of defense against cybercriminals. For this reason, they are also commonly targeted. In fact, the vast majority (88%) of data breaches are caused by employee mistakes, according to Stanford University. Unfortunately for organizations, a single mistake can result in costly losses, reputational damage and lost or stolen data.
In order to keep your organization safe from cybercriminals, cybersecurity must become an integral part of company culture—something that is valued and upheld by every member of the organization. Cybersecurity should be top of mind for every employee when choosing whether to click a link, open an email or download documents from the web.
This article contains tips for improving employee engagement and creating a cybersecurity culture that will help protect your organization against cybercriminals.
Cybersecurity Culture Explained
An organization’s security culture will not grow on its own. To transform security training into everyday practices, organizations must invest in their security culture and constantly nurture it. A strong and resilient cybersecurity culture can benefit an organization in a number of ways, including:
- Protects the organization against cyberthreats and data breaches
- Strengthens customer trust and loyalty
- Improves brand reputation
Although many organizations recognize the benefits of having a cybersecurity culture, they may fail to successfully create one for multiple reasons. One of the most common reasons is a lack of employee buy-in. In fact, one survey found that 60% of organizations don’t believe they have successfully achieved employee buy-in for cybersecurity practices. Lack of executive buy-in is also a common cause of failure. This may result from outdated thinking that cybersecurity only belongs to the IT department or a lack of understanding about the pervasiveness of the issue.
Fortunately for organizations, the main stumbling blocks to creating a thriving cybersecurity culture can also guarantee success if leveraged effectively.
Best Practices
When cultivating a cybersecurity culture, organizations should consider the following best practices:
- Engage the C-suite. Senior executives are sometimes resistant to adopting good cyber hygiene. This has to change if your organization is going to create a successful cybersecurity culture. Employees need to see management leading by example if they’re going to buy into a healthy cybersecurity culture. Encourage leaders to join the conversation and reinforce that cybersecurity is every employee’s responsibility.
Additionally, senior executives are one of the biggest targets for cybercriminals. Ensure they are doing their part in upholding cybersecurity values by teaching them how to identify and defend against targeted cyberattacks.
- Inspire ownership of cybersecurity. Clearly communicate what’s at stake to your employees and explain that your organization needs their help. It’s not enough to simply explain changes to security protocols. Ensure employees understand why these changes have been made and what you’re trying to do to protect the organization. It’s imperative that employees understand that no security system is foolproof and, therefore, it’s up to them to minimize threats and avoid unnecessary risks.
- Create engaging cybersecurity programs. Cybersecurity training should not be presented as a one-off occurrence. If you want your employees to embrace cybersecurity as part of their culture, provide fun training based on real experiences. Consider leveraging discussion forums, online games, in-person training and mock phishing exams as part of your holistic approach to cybersecurity learning. Brief and frequent lessons will also be more digestible and remind employees that cyber awareness is part of their corporate life.
- Bring back the basics. When discussing cybersecurity, many organizations make the mistake of skipping basic training. This can cause confusion and prevent core cybersecurity values from resonating with employees. According to one survey, 50% of all employees haven’t had formal cybersecurity training, and 96% keep passwords saved on their devices for easy access. When creating and teaching good cyber hygiene, don’t forget basic principles such as strong password policies, two-factor authentication and limits on security, downloads and network access.
- Make it easy. Ensure employees know where to report suspicious emails and how to check the authenticity of work-related communications. Whenever possible, encourage open lines of communication between your employees and the IT department. This will help encourage employees to proactively reach out to IT for help or to report mistakes.
- Celebrate success. Make cybersecurity part of performance reviews and reward systems. It is also beneficial to acknowledge employee successes one-on-one by expressing appreciation or offering rewards for their commitment to your organization’s cybersecurity goals.
Conclusion
When workplace cybersecurity is treated as a simple check-the-box exercise, costly mistakes can occur. Teaching employees to value and take responsibility for their actions can help organizations reduce their chances of becoming a victim of a cyberattack.
Contact us today for more cyber guidance.
- Published in Blog
The RISQ RECAP:
October 10th – October 14th, 2022
Each week, you’ll find specially curated news articles to keep you up to date on the ever-evolving world of insurance and risk management. The articles are divided out between items relevant to Property & Casualty, Employee Benefits/Human Resources, and Compliance. We’ve included brief summaries of each item as well as a link to the original articles.
PROPERTY & CASUALTY
The Future of P/C Underwriting: Shifting From Innovation to Operational Efficiency
“With rising inflation and the prospects of a recession on the horizon, the present macroeconomic environment is forcing property/casualty underwriters to adapt to new technologies and sources of data. All the while, policyholders are demanding more from underwriters, whether it’s greater transparency or access to dynamic pricing.” Full Article
– Insurance Journal
EMPLOYEE BENEFITS, HUMAN RESOURCES, & COMPLIANCE
When to Provide Domestic Partner Benefits “Domestic partners are entitled to the same employer-provided benefits as spouses only if the benefit is subject to state law and the state law recognizes domestic partnerships. This happens most commonly with insured group health plans. ERISA does not preempt state insurance laws.” Full Article – Holland and Hart LLP
Medical Claims Reviews: What Your Plan May be Missing “With thousands and thousands of codes that can be assigned to everything from the diagnosis of a patient’s condition to the facility where they receive care, there is plenty of room for error in medical billing. And it may never get caught, partly because billing has become so complicated and partly because patients, health plans and claims administrators may not have all the data they need to catch the errors.” Full Article – International Foundation of Employee Benefit Plans
Fourth Quarter 2022 Hits for Plan Sponsors and Administrator “With the first RxDC reporting deadline of December 27, 2022, fast approaching, plan administrators should discuss RxDC reporting with their providers now to develop a compliance plan. As the CMS warns, HIOS accounts can take up to two weeks to create. First dollar coverage for insulin will protect Health Savings Account eligibility for those who require an insulin regimen. Employers should determine if their plan requires an amendment to implement this change.” Full Article – Jackson Lewis P.C.
Biden Administration Proposal Restores, Updates Obama-Era ACA Section 1557 Rules “The Proposed Rule also suggests that TPAs subject to Section 1557 may be held liable for Section 1557 violations when the allegedly discriminatory act or feature originated with the TPA. For example, if a group health plan adopts a template plan document provided by the TPA, the TPA could be found liable. This appears to be the case even in the event the plan sponsor formally adopts the document or benefit design as the plan settlor.” Full Article – Groom Law Group
COBRA Election Notice Failure Underscores Need for Mailing Address Procedures “In a dispute involving alleged violations of notice requirements under COBRA, a district court addressed the respective liabilities of a self-funded health plan’s third-party administrator and its employer/plan sponsor for providing a COBRA election notice. The court concluded that the employer could not disclaim liability for providing the election notice to a plan participant at the correct address merely because it had contracted with the TPA to provide COBRA notices.” Full Article – Thomson Reuters Practical Law
Navigating Open Enrollment Requirements “A dependent audit performed by the plan’s administrator flagged the same sex spouse’s coverage. Consistent with the employer’s religious belief the HR executive informed the employee that the spouse’s coverage would be terminated at the end of the month. The employer argued that it was exempt from Title VII based on its status as a religious organization. Rejecting this interpretation, the district court concluded that religious organizations are not exempt from Title VII’s prohibition against discrimination based on characteristics other than religion.” Full Article – Faegre Drinker
STATE & INTERNATIONAL COMPLIANCE
In addition to the RISQ Review, RISQ Consulting also provides a resource that features changes and updates to State and International Compliance measures. We’ve included brief summaries of each item below, and also provided links to the original articles if you’d like to read further.
CALIFORNIA
California Expands Pay Transparency and Reporting Obligations
“On September 27, 2022, California Governor Gavin Newsom signed Senate Bill (SB) 1162, which requires certain employers to provide more pay transparency on pay scales and expands pay data reporting obligations for other employers. The new obligations take effect on January 1, 2023.” Full Article
– Jackson Lewis
Bereavement Leave Now Protected in California
“On September 29, 2022, California Governor Gavin Newsom signed Assembly Bill (AB) 1949, which amends the California Family Rights Act (CFRA) to require covered employers to provide eligible employees with 5 days of bereavement leave. AB 1949 applies to employers with 5 or more employees nationwide.” Full Article
– Jackson Lewis
WASHINGTON D.C.
Washington D.C. to Expand Antidiscrimination Protections to Include Independent Contracts and Homeless Individuals
“Effective October 1, 2022, an amendment to the District of Columbia’s Human Rights Act (“the Act”) will expand the universe of workers protected under the Act, as well as codify workplace harassment as an unlawful discriminatory practice.” Full Article
– Proskauer Rose
NEW YORK
NYC to End Private Employer COVID-19 Vaccine Mandate on November 1, 2022
“On September 20, 2022, New York City Mayor Eric Adams announced that the city will end its COVID-19 vaccine mandate for private employers on November 1. Adams stated that lifting the mandate now “puts the choice in the hands of New York businesses” as to whether to require employee vaccination, subject to accommodations for religious or medical reasons. ” Full Article
– Cooley LLP
MASSACHUSETTS
Massachusetts Updates Paid Family and Medical Leave Contribution Rates for 202
“The Massachusetts Department of Family and Medical Leave has announced changes to the employer contribution rates under the Paid Family and Medical Leave Act (PFMLA) effective January 1, 2023.” Full Article
– Jackson Lewis
- Published in Blog
Cyber Awareness Month
By Ashley Sherrick, Commercial Lines Strategy Consultant
The way the world conducts business has completely transformed due to the technological advances of the 21st century. Since you’re reading this, it’s clear that digitized information is the new norm for receiving and transmitting data. Much of our communication has turned into email, our critical information has turned to and array of 1s and 0s, and our payment methods have been broadened. Although most of us can agree that these changes have increased productivity, these new ways present their own set of risks. Wherever data or money is changing hands, there is an exposure. There are malicious parties at every turn ready to record and abuse the use of that data. October is Cyber Awareness month and that is why RISQ Consulting wants to remind you that cyber liability is a great place to start in mitigating the risk.
Cyber Awareness Month 2022 Infographic
- Published in Blog
General Cybersecurity Best Practices for Modern Vehicles
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
Modern vehicle technology has transformed in the past several years as autonomous driving, vehicle electrification and car connectivity features have become more common. While these digital innovations in the automotive industry have added significant customer value, they have also exposed vehicles to cybercriminals attempting to gain access to critical in-vehicle electronic units and data. This article discusses cybersecurity threats modern vehicles face, the importance of the automotive industry providing protections against those risks and best practices for minimizing cybersecurity threats.
Cybersecurity Threats in Modern Vehicles
These days, vehicles are becoming increasingly dependent on connectivity and technology that runs complex software. There are about 100 million lines of software code in today’s vehicles, and by 2030, they’re expected to have roughly 300 million. The overabundance of complex software code within vehicles offers ample opportunity for cyberattacks.
Cyberattacks on modern vehicles could endanger vehicle inhabitants and others, and they may also be used to track vehicles or related data. Hackers can accomplish these attacks through physical or remote avenues:
- Physical access—When hackers gain physical access to a vehicle’s internal communication system, they can affect vehicle operations, such as steering, acceleration and braking.
- Remote access—Modern vehicles utilize Bluetooth technology, remote start applications and GPSs. Once hackers gain remote access, they can transfer knowledge from computers to vehicles and vice versa.
Importance of Cybersecurity in Modern Vehicles
While in-car cybersecurity threats are still relatively new, they are an ongoing concern. It is now the responsibility of automakers to consider cybersecurity an integral part of their core business functions and development efforts. Systems and components that govern vehicle safety features must be protected from harmful attacks, unauthorized access, damage or other threats that might interfere with safety functions.
Best Practices
A layered approach to vehicle cybersecurity can help reduce the probability of an attack’s success and mitigate the ramifications of unauthorized system access. The following are general best practices for modern vehicle cybersecurity:
- Leadership priority on product security—An emphasis on mitigating cybersecurity challenges associated with motor vehicles and motor vehicle equipment should be a priority for automotive industry suppliers and manufacturers. By stressing the importance of cybersecurity from the leadership level down to the staff level, corporations can emphasize the seriousness of managing cybersecurity risks and prioritize cybersecurity throughout the product development process.
- Vehicle development process with explicit cybersecurity considerations—The entire lifecycle of a vehicle—conception, design, manufacture, sale, use, maintenance, resale and decommission—should be taken into consideration when addressing cybersecurity risks, especially since there is more flexibility to design and implement protective measures early in the development process.
- Information sharing—In late 2014, the National Highway Traffic Safety Administration (NHTSA) encouraged the automotive industry to establish Auto-ISAC, an industry-driven community for sharing and analyzing intelligence about emerging cybersecurity risks to vehicles. Vehicle manufacturers, automotive equipment suppliers, software developers, communication services providers, aftermarket system suppliers and fleet managers are strongly encouraged to join Auto-ISAC and share timely information concerning cybersecurity issues.
- Security vulnerability reporting program—Members of the automotive industry should make information reporting easy for the security research community and the general public to help identify cybersecurity vulnerabilities.
- Organizational incident response process—While it’s not possible to predict all future attacks, organizations can prepare their responses, processes and staff to handle incidents effectively. Organizations should develop a product cybersecurity response process that includes:
- A documented incident response plan
- Roles and responsibilities that are clearly identified within the organization
- Communication channels and contacts outside of the organization that are clearly identified
- Procedures for keeping information up to date
- Self-auditing—To establish a clear and controlled process for managing software and related vulnerability risks, organizations must ensure documentation and document controls are in place. For process management documentation, members of the automotive industry should:
- Document the details related to their vehicle cybersecurity risk management process
- Retain documents through the expected lifespan of the associated part
- Implement and follow a control protocol
To assist companies in better understanding their cybersecurity practices and how to improve them, procedures for internal management and documentation review should also be established.
- Education—Continuous education of existing and future workforces can assist in improving the cybersecurity of motor vehicles. NHTSA encourages vehicle manufacturers, suppliers, universities and other stakeholders to work together to support the educational efforts of the workforce.
- Aftermarket/user-owned devices—Aftermarket devices, such as insurance dongles, and user-owned devices, such as cellphones, could present unique cybersecurity challenges. Before these devices are connected to vehicle systems through interfaces provided by the manufacturer, they should be authenticated and provided with appropriate, limited access.
- Serviceability—The average motor vehicle requires regular maintenance and occasional repair to operate safely. The automotive industry should consider the serviceability of vehicle components and systems since vehicles can remain in use for over a decade.
Conclusion
The automotive industry can work towards protecting electronic systems, communication networks, control algorithms, software, users and underlying data from malicious attacks, damage, unauthorized access or manipulation by implementing cybersecurity best practices. Contact us today for more risk management guidance.
- Published in Blog
- 1
- 2