Search Results

The Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA) requires parity between a group health plan’s medical and surgical benefits and its mental health or substance use disorder (MH/SUD) benefits. In general, if a health plan provides MH/SUD benefits, MHPAEA requires the plan to: Offer the same access to care and patient costs for MH/SUD benefits as those that apply to medical/surgical benefits; Treat MH/SUD coverage and medical/surgical coverage equally in terms of out-of-pocket costs, benefit limits and practices such as prior authorization and utilization review; and Contain a single combined deductible for MH/SUD coverage and medical/surgical coverage. Parity Requirements The financial requirements applicable to MH/SUD benefits can be no more restrictive than the predominant financial requirements applied to substantially all medical and surgical benefits. A plan’s treatment limits for MH/SUD benefits must also comply with MHPAEA’s parity requirements. Aggregate lifetime and dollar limits must be the same. Action Items Talk with your Cottingham & Butler service team to help you understand: Your TPA/PBM’s role in assisting your plan meet its mental health parity obligations. Risks associated with your current plan design. Potential consequences for failure to comply. MHPAEA – General Compliance FAQs is a brief FAQ about how self-funded plans can maintain compliance and be prepared in the event of a Department of Labor (DOL) audit.

Regardless of company size or industry, employers are struggling to attract and retain quality workers. With the construction industry expected to continue to grow in 2022 and beyond, construction companies and contractors face a labor shortage and struggle to find workers to meet industry demands. This article highlights new employment research, outlines factors contributing to today’s worker shortage, and offers tips to help employers attract and retain skilled workers. Labor Market Factors The first contributing factor to today’s employment challenges is anticipated industry growth. Of note, the recently signed $1.2 trillion Infrastructure Investment and Jobs Act will likely contribute to this growth as roads, bridges, and other infrastructure will be updated countrywide. Although industry demand is promising, companies need skilled workers to meet the booming demand. Consider the following statistics regarding industry growth and demand: Construction job growth is projected at 7% from 2020 to 2030, according to the Bureau of Labor and Statistics (BLS). The construction industry needs 650,000 workers above its current pace of hiring to meet 2022 demand, according to Associated Builders and Contractors (ABC). The industry gains 3,900 jobs for every $1 billion in additional construction spending, according to ABC. Another factor in today’s labor shortage is the high number of workers in the industry reaching retirement age. An overwhelming number of construction workers are expected to retire over the next decade; according to the National Center for Construction Education and Research, 41% of the current construction workforce will retire by 2031. Fewer young workers are joining or staying in this workforce, as there has been more focus on higher education than the trades in recent decades. Furthermore, many of those industry veteran workers have management roles. In addition to finding employees, employers will also need to address leadership gaps to keep their operations running smoothly and retain institutional knowledge. Like many other industries, the construction industry competes for today’s workers amid high turnover rates. Regardless of industry, the pandemic caused many employees to reconsider their line of work and try different roles or industries entirely. This employment shift is especially difficult for construction companies and contractors, as the candidate pool for construction is significantly narrowed since they depend on workers who have acquired specialized skills. New Research In early 2022, employers across the country were surveyed about various employee attraction and retention topics, and more than 150 employers of all sizes and industries responded. Notably, the construction industry had a high participation rate in Zywave’s 2022 Attraction and Retention Employer Pulse Survey. Consider the following key research findings from respondents in the construction industry: Over 90% of organizations somewhat have some difficulty attracting new employees. 58% of organizations at least somewhat have difficulty retaining current employees. 81% of employers consider employee attraction and retention a top-five business challenge and expect the trend to continue. Employee attraction and retention come with general hurdles, but construction leaders say they are working most to combat these specific challenges: Increasing compensation to meet current demands Addressing current and future skills gaps Addressing increased benefits demands Meeting desires for flexible work arrangements (i.e., remote, hybrid, flexible hours) Such challenges significantly impact talent strategies. Similarly, surveyed organizations reported that the top priorities of today’s workers include competitive compensation, competitive benefits, and flexible schedules. While those components are what today’s construction workers are looking for, employers have their own wish lists for ideal candidates and employees. Experience, reliability, and professionalism are the top desired traits of construction workers. Knowledge and technical skills were top traits for roughly a quarter of respondents, suggesting that employers would instead hire for personal attributes and soft skills, potentially supporting new hires with technical training on the job. Worker Attraction and Retention Tips Bringing in and keeping workers will continue to be a top challenge for construction companies and contractors. The construction industry is struggling to find skilled workers to meet the current and upcoming work demands—and there are no quick fixes for many of the reasons this is happening. As workers retire, take other construction jobs, or leave the industry altogether, employers will need to get creative with employee attraction and retention strategies. Consider the below general tips. Expand Recruitment Tactics Employers can consider the best methods for reaching suitable candidates and growing their candidate pool. As the construction industry looks to recruit a new generation—specifically millennials and Generation Z—new recruitment tactics can be successful. In addition, construction employers can consider ways to grow their applicant pipeline by considering underrepresented groups in the industry. According to the BLS, women make up around 10% of workers in the construction industry, trailing most other key sectors. However, this creates an opportunity to increase talent pools in this expanding industry. There’s no single approach, but employers could try using social media, attending job fairs, or presenting at high schools, trade or technical schools, and universities to target key and new talent markets. Recruitment tactics that worked in the past likely won’t be as impactful in today’s market. Invest in Training Opportunities Employers can provide learning and development opportunities to both long-term and new employees to address looming skill gaps left behind by retired workers. After all, the construction industry requires workers to have specialized skills, and the work comes with a variety of safety hazards. Learning opportunities may be a way to recruit young employees and help them build a career in the construction industry. Here are a few examples of learning and development opportunities: Employee training can focus on specialized skills, new technology, or safety-related topics. It’s essential to identify any skills gaps left by retirement. The rework rate is a major concern for construction projects, and proper training can help businesses avoid such costly circumstances. Hands-on training can be the most engaging since employees actively participate and may remember their experience better. As soon as new technology is available or used on a site, employers could allow all workers to interact with and practice using it. This will also help supervisors understand if there’s a learning gap with devices or software so they can pivot to correct mistakes before they happen on-site. Virtual training can help employees learn about health and safety regulations quickly and safely. Safety is critical in the construction industry. On-demand virtual training allows employees to test their skills and knowledge and retake lessons as needed to become familiar and comfortable with safety rules and standards. Simulated training, including augmented reality (AR) and virtual reality (VR), can provide hands-on training without endangering workers. Employees can use VR to learn how to operate remote-controlled heavy equipment without damaging equipment and other materials or worker injuries. Additionally, employers could use AR to allow teams to learn how to repair equipment or other critical mechanical components. Mentoring plans can prepare newer employees for future leadership roles and support the transfer of institutional knowledge from seasoned employees. Leadership development programs can also help prepare employees for management roles. The transition to supervising can be a significant change for many. The internal promotion of skilled trade positions to managerial roles can also strengthen employee morale and provide clear career paths. Many managers who have or will be retiring may have started in an entry-level or junior position. Such employees understand the work and what it takes to be successful on the job—and they often can be great managers and leaders for the business. Besides offering such opportunities, it’s equally important to promote them during recruitment and leverage them as a selling point to workers. Review Compensation and Benefits Strategies Regardless of the line of work, employees are looking for competitive salaries and benefits. If raises or sign-on bonuses aren’t feasible, a benefits package could help seal the deal for some workers. Disability and life insurance can go a long way in showing that companies care about construction employees’ health and well-being. To assist with employee retention, employers could consider ways—such as health and wellness programs—to help employees in their work and personal lives. Provide Autonomy Work autonomy means giving employees the freedom to work in a way that suits them. As such, employees get to decide how and when their work should be done. This type of workplace flexibility can go a long way with workers as the construction industry is generally very rigid and comes with high levels of problem-solving. As feasible, construction employers could look for ways to minimize micromanagement and focus on policies instead of processes. Job autonomy builds trust with employees because it gives them the freedom to manage their work and helps them find purpose in their day-to-day work. Furthermore, autonomy could help encourage mastery as well. Workers who are newer to the industry may feel like a master of their work sooner, which bolsters confidence and accountability. In today’s labor market, accountability and autonomy can be a winning combination to attract and retain skilled workers. Summary Attracting and retaining construction workers has never been easy. Still, the problem has only worsened during the pandemic because of factors such as highly-skilled workers retiring or reconsidering their line of work. As industry growth outpaces talent availability, employers will need to get creative with their efforts to compete in today’s tight labor market. Reach out to your Cottingham & Butler representative today for more attraction and retention guidance.

Employment-related lawsuits are a growing concern for employers of all sizes. As costs for litigation and damage awards climb, experts predict that employment liability will only become more complex. As a result, it is critical for employers to understand their exposures and options to manage the risk. Strategies to Reduce Your Company’s Exposure Two effective risk management strategies include solid human resources practices and employment practices liability (EPL) insurance coverage, a policy used to cover your risk due to the ever-changing legal and employment environment. There are three common employment-related lawsuits today: Wrongful termination: The discharge of an employee for invalid reasons. Discrimination: The denial of equal treatment of workers who are members of a protected class. Sexual Harassment: When a worker is subject to unwelcome sexual advances, obscene or offensive remarks, or the failure to stop such behavior. Employment Practices liability (EPL) insurance works hand-in-hand with your internal employment practices to provide the necessary resources to defend your company against a suit or to pay a claim. To best understand how to cover your EPL risk, it’s important to know the potential sources: Recruitment practices Employment applications Employment offers Employee orientation Annual conduct reviews Enforcing performance policies Termination Improper documentation of the above items To limit your exposure, engaging in solid human resources practices is an important strategy in reducing your company’s liability. To verify your HR policies and best practices, conduct a thorough HR audit: Verify that the Employee Handbook outlines all policies and terms of employment in clear and concise language Require employees to sign an acknowledgment form for receipt of the Handbook. Develop training for supervisors including interview skills, performance reviews, and a “zero-tolerance” policy. Employment law is often complex and varies depending on the jurisdiction. Well-organized and credible documents can demonstrate fair treatment, deter litigation, ensure employee honesty, and—should litigation occur—demonstrate the employer’s actions. In addition to having the appropriate employment policies and HR best practices in place, EPL insurance coverage is another useful risk management tool used to defend against a suit or pay a claim. In fact, evidence of desirable practices and policies will be required to obtain EPL coverage. Typically, the insurance underwriter will require a copy of your employee handbook, which should cover the following policies: Sexual harassment Discrimination Equal opportunity Disabled employees and accommodations Grievances Employee discipline Termination Performance evaluations Internet usage/employee privacy Pregnancy leave Internal job postings Hiring and interviewing Alternative dispute Resolution/arbitration Employment-at-will Employment application form In addition, you are usually required to provide the most recent annual report or SEC 10-K, the list of entities proposed for the coverage, and the most recent EEO-1 reports. EPL insurance works hand-in-hand with your internal employment practices to provide the necessary resources to defend your company against a suit or to pay a claim. As with all of your risk-management needs, Cottingham & Butler is committed to assisting you in assessing your employment-related policies and helping you to develop best-practice solutions. Call us today to learn more about our effective risk management services.

Following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, some employers are interested in providing some level of travel and lodging reimbursement for employees and family members who may need to travel out of their state to obtain a legal abortion. There are a variety of ways that these benefits could be offered. Some of the most common ways employers are seeking to support their employees include: Group medical plan HRA integrated with the group medical plan Excepted benefit HRA Employee assistance program (EAP) Health FSA or HSA reimbursement Lifestyle account Travel reimbursement program There is some uncertainty about how various benefit compliance requirements may apply. While providing the coverage under the employer’s group medical plan or an integrated HRA appears to be the most popular method as of right now, the safest approach may be to simply provide a broader travel reimbursement arrangement on a taxable basis, not even tied specifically to abortion-related travel and lodging, and to limit any documentation required to receive reimbursement. However, we appreciate that employers may prefer to handle it differently until further clarification is provided as to what is permitted. Depending upon how the coverage or reimbursement is offered, the employer will be wise to consider the following compliance questions: Can the reimbursement be handled on a tax-favored basis? Under §213(d), qualifying medical expenses include travel and lodging expenses incurred primarily for and essential to medical care. To cover or reimburse such expenses on a tax-favored basis, they generally need to be run through a group health plan (e.g., group medical plan, HRA, health FSA, EAP) or HSA. TRAVEL: There isn’t a specific cap, but the expenses must be reasonable (e.g., not first-class flights). They could include gas, car rental, bus ticket, airplane ticket, etc. Medically-related travel is reimbursable on a tax-favored basis at the actual cost of travel or using the mileage reimbursement rate; either is acceptable. LODGING: Lodging expenses are reimbursable on a tax-favored basis only up to $50/night per individual ($100/night if a travel companion is required). Travel or lodging reimbursement beyond what is permitted under§213(d) should be taxable to the employee. For further clarification these taxation rules, see IRS Pub. 502. How do state laws apply? If the coverage is provided through a fully insured group medical plan, the state laws of the state in which the policy is issued will apply. Therefore, if the plan is issued in a state with restrictive abortion laws, the carrier may not offer a plan providing such reimbursement. In this case, the employer may have to consider other options for providing the reimbursement, such as through an HRA. If the coverage is provided through a self-funded group medical plan, assuming the arrangement is subject to ERISA, the employer has more flexibility with plan design due to ERISA preemption and would not be required to follow any state insurance coverage requirements or restrictions. However, the employer must still consider any very restrictive state laws imposing civil or criminal penalties for individuals or entities who “aid or abet” abortions (e.g., Oklahoma and Texas). Providing coverage or reimbursement related to an abortion could put the employer at risk of such penalties, so employers with employees residing in such states should definitely work with counsel before implementing such coverage or reimbursement. Is the arrangement subject to ERISA (e.g., plan documentation, SPD distribution, Form 5500 filings)? The group medical plan, HRA, health FSA, and EAP are generally subject to ERISA. Travel benefits that are run through such arrangements will then be subject to ERISA. This may provide some protection under any state law prohibiting or restricting coverage because the plan would qualify for ERISA preemption if self-funded. A more general travel reimbursement program that is not run through the above listed arrangements, and perhaps available more broadly than just for medically-related travel, would likely not be subject to ERISA. If the benefit is not run through the employer’s group medical plan, does the arrangement create a stand-alone group health plan and interfere with Affordable Care Act (ACA) compliance (e.g., preventive coverage, annual/lifetime limits)? An HRA must generally be integrated with the group medical plan to comply with ACA requirements. This would limit the offering to only those who have also enrolled in the employer’s group medical plan or the group medical plan of another employer (e.g., a spouse’s employer). However, an excepted benefit HRA (EBHRA), allowed to be funded up to $1,950 in 2023, can be offered to all who are eligible for the group medical plan rather than only to those who are enrolled in the group medical plan. There is some argument that an EAP reimbursing solely travel and lodging, and not the actual medical procedure, might not provide “significant medical benefits,” in which case it would qualify for excepted benefit status and not have to comply with the ACA. We need further guidance from the agencies on what is considered “significant medical benefits.” If it cannot be argued that the EAP is an excepted benefit, there is a risk in not integrating the EAP with the group medical plan (i.e., limiting access only to those who actually enrolled in the group medical plan). How does the coverage affect HSA eligibility for those enrolled in a qualifying High Deductible Health Plan (HDHP)? If coverage is provided via a group medical plan or an HRA, participants must meet the minimum HDHP deductible before having such expenses reimbursed to maintain HSA eligibility. For the EAP, if it can be argued that the EAP is not providing “significant medical benefits,” it may be okay to provide reimbursement right away (before meeting the minimum HDHP deductible) without interfering with HSA eligibility. Is the arrangement subject to mental health parity rules? If coverage is provided via a group medical plan or an HRA, it may be necessary to reimburse travel and lodging more broadly (including for mental/behavioral health as well as for medical/surgical) to avoid violating mental health parity rules. Do HIPAA privacy and security rules apply? How about any other privacy considerations? A group medical plan, health FSA, HRA and many EAPs will be subject to HIPAA privacy and security rules, which will greatly limit how any information collected via the plan can be disclosed without the participant’s permission. This may be of some comfort to participants. The employer should also contemplate the Pregnancy Discrimination Act (PDA) and other privacy and nondiscrimination requirements that may limit the employer’s ability to collect or share information, or to act upon such collected information. Employers reimbursing outside of a health plan should carefully consider how to handle requests and make determinations. And, if there is a desire to require specific documentation, consider how best to review and maintain that information to ensure complete confidentiality.

The past year has seen a rapidly hardening cyber insurance market as cyberattacks have surged in both cost and frequency. This increase in attacks has, in turn, resulted in a rise in cyber insurance claims and subsequent underwriting losses. Amid these market conditions, most policyholders experienced higher cyber insurance rates at their 2022 renewals, with many insureds seeing double-digit rate increases. In fact, industry data shows that rates rose by as much as 50%- 100% during the first quarter of the year, depending on policyholders’ specific exposures, loss history, and risk management measures. Insureds have also begun encountering coverage restrictions, further scrutiny from underwriters regarding cybersecurity practices, and exclusions for losses stemming from certain types of cyber incidents—namely, acts of cyberwarfare related to international conflicts and other increasingly prevalent cyberattack methods (e.g., ransomware). Looking ahead, policyholders who fail to adopt proper cybersecurity protocols or experience a rise in cyber-related losses may continue to face rate increases and coverage limitations for the foreseeable future. Developments & Trends to Watch Increased nation-state threats and coverage exclusions Nation-state cyberattacks have become a growing concern over the past year, especially as the ongoing Russia-Ukraine conflict contributes to global cyberwarfare worries. In March 2022, the White House issued a statement warning U.S. organizations that nation-state cybersecurity exposures stemming from Russian attackers would likely increase in the coming months. The federal government also introduced new initiatives to harden the nation’s cyber defenses against foreign threats and urged businesses to follow suit. Apart from elevating their cyber defenses, some insureds have sought coverage for emerging cyber warfare risks. But, these policyholders have likely faced challenges obtaining such coverage, primarily due to war exclusions, which generally state that damages from “hostile or warlike actions” by a nation-state or its agents won’t receive coverage. Cyber insurance policies are not immune to war exclusions. However, recent court cases and insurance industry shifts have both broadened and narrowed aspects of the scope of war exclusions as they pertain to cyber warfare, creating confusion and posing potential insurance gaps among policyholders. Elevated ransomware concerns Ransomware attacks have skyrocketed in recent years, affecting many businesses but especially small- and medium-sized establishments. Yet, according to industry data, ransomware activity decreased by 20% in the first quarter of 2022 compared to the fourth quarter of 2021. This is likely due to international law enforcement operations disrupting several high-profile ransomware groups since the beginning of the year. Nevertheless, industry data confirmed that ransomware attacks still contributed to 32% of overall cyber-related losses in the first quarter of 2022. Further, costs stemming from ransomware attacks remain on the rise. According to data from cybersecurity company Palo Alto Networks, the average ransom payment reached $925,162 in the first five months of 2022—up 71% from last year. Heightened business email compromise (BEC) risks BEC scams entail a cybercriminal impersonating a legitimate source within an organization to trick their victim into wiring money, sharing sensitive data, or engaging in other compromising activities. These scams are among the most expensive types of social engineering losses, and they have emerged as a major threat. According to the FBI, BEC scams caused more than $43 billion in losses since 2016, with such losses increasing by 65% between 2019 and 2021 alone. Tips for Insurance Buyers Work with trusted insurance professionals to secure cyber coverage that meets your unique needs. Start the cyber insurance renewal process as early as possible and be prepared to complete supplemental applications regarding your cybersecurity practices. Take advantage of loss control services offered by insurance carriers to strengthen cybersecurity measures. Focus on employee training to prevent cybercrime from affecting your operations. Establish an effective, documented cyber incident response plan to minimize damages amid a cyberattack.

Regardless of size, every business that is connected to the internet or has an online presence is at risk of cybercrime. Therefore, every business should be prepared with an effective cyber security plan to protect against risks associated with cybercrime, which includes having cyber insurance coverage. While one might think that large companies are far more likely than small businesses to be targets of cybercrime, with far more devastating consequences, in actuality the ratio is only 2:1, with a third of all documented data breaches occurring in businesses with fewer than 100 employees. And, of small businesses that do fall victim to cybercrime, nearly two thirds close their doors within 6 months of a cyberattack. Despite this vulnerability, fewer than half of small-business owners consider cyber threats to be a concern, with the majority of small-business owners surveyed by CNBC saying they are not worried about being the victim of a cyberattack, and expressing confidence that they could quickly resolve a cyberattack on their business if needed. This apathy and overconfidence toward the threat of cyberattacks quickly vanishes the moment one of these businesses falls victim to an attack and feels the associated pain and sense of helplessness. And, while pain can be an excellent motivator and teacher, it would be far better if companies would learn from the pain of others and decide to protect themselves prior to becoming victims. The two most prevalent types of cyber claims we see reported at Cottingham & Butler involve Ransomware and Social Engineering attacks. Ransomware According to the U.S. Government’s Cybersecurity and Infrastructure Security Agency (CISA), “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.” Ransomware attacks are increasing both in number and in the dollar amounts being demanded, with an increase in ransomware attacks globally last year of 105%, and with what is believed to be the largest ransomware payment ever made, in the amount of $40 million, which was paid by an insurance company last year to regain control of its systems. In addition to ransomware attackers becoming particularly greedy, with ransom demands often in the millions or even tens of millions of dollars, they are now becoming more vicious as well, sometimes returning for a second bite of the apple and refusing to make data accessible until additional ransom is paid. Sometimes the attacker never re-enables access to encrypted data, despite payment of the demanded ransom. This is only one reason why CISA recommends that cyber victims DO NOT PAY the ransom. According to CISA’s website, other reasons include the fact that some victims who paid the ransom have reported being targeted again by cyber criminals, and the fact that paying a ransom could inadvertently encourage and perpetuate this type of crime. Ransomware attacks have hit some large high-profile companies recently, including companies in critical infrastructure such as the fuel and food industries. In May of 2021, both Colonial Pipeline (one of the largest fuel pipelines in the US) and JBS Foods (one of the largest meat processing companies in the world) were the victims of ransomware attacks. The attack on Colonial Pipeline prompted the company to shut down its fuel distribution operations, leading to widespread fuel shortages at gas stations all along the east coast. Colonial paid $4.4 million in ransom to regain access to their data and systems and restart its fuel distribution operations. JBS Foods paid $11 million in ransom to regain access to its data and systems and avoid major food shortages. Is your company ready for a ransomware attack? Do you have sufficient cyber coverage to enable your company to survive a ransomware attack and remain financially solvent? Social Engineering Social Engineering is defined as: The art of manipulating people in an online environment, encouraging them to divulge—in good faith—sensitive, personal information, such as account numbers, passwords, or banking information. Social engineering can also take the form of the “engineer” requesting the wire transfer of monies to what the victim believes is a financial institution or person, with whom the victim has a business relationship, only to later learn that such monies have landed in the account of the “engineer.” The most common example of a Social Engineering claim that we see at Cottingham & Butler involves an employee of a client being tricked into re-directing payment of invoices or payroll to a cyber criminal, usually in response to an email seemingly from the proper payee. Situations have occurred where these cyber criminals are even willing to fill out paperwork necessary to effectuate the change of account, including providing a letter from a bank. This is why it is so important to pick up the phone and call the proper payee at the phone number already on file to verify their intention to change deposit accounts. A perfect example of this made the local news recently. Cottingham & Butler is headquartered in Dubuque, Iowa. Just a few weeks ago, Iowa State Auditor, Rob Sand, was the target of an attempted email scam in which someone pretended to be him and unsuccessfully tried to move his paycheck deposit to a different bank account. He credited a state human resources worker with contacting him directly to alert him of the email to divert his paycheck direct deposit to a different bank. If your company falls victim to a Social Engineering scam, do you have coverage for the ensuing economic impact? Coverages Coverage for losses associated with ransomware is available within cyber insurance policies under an insuring agreement most often termed “cyber-extortion coverage.” The items it covers include the ransom payment, breach response, and restoration of data and systems. Business Interruption coverage is also important to cover costs associated with any downtime following a ransomware attack. At Cottingham & Butler, it is our standard to quote a $1M cyber policy aggregate, and we prefer to bind quotes with a “cyber extortion” aggregate that matches the policy aggregate. If we cannot provide a client with a program that offers a ransomware limit outside of the coverages that fall under the carrier’s “cyber extortion” insuring agreement, then we make sure that the coverages that fall under “cyber extortion” (including ransomware) match the policy aggregate so we aren’t limiting coverage for the insured. Social Engineering and Cybercrime coverages can cover: financial fraud loss (funds transfer), telecommunications fraud, phishing attacks, and personal funds theft. Our team consistently ensures that coverage is included for funds transfer fraud, either within or in addition to Social Engineering coverage, and we seek out carriers that can provide a $250K sublimit for Social Engineering coverage. To better protect our clients, we quote $1 Million for the various coverage parts (except for Social Engineering coverage, which is only available up to $250K), and at least $1 Million aggregate. We have the ability to get higher limits. Cottingham & Butler, with its dedicated team of Producers and Claims Advocates, is ready and able to help with insuring against and responding to a Ransomware or Social Engineering attack directed against you. Contact a representative today to learn more.

The U.S. Supreme Court’s June 24 decision in Dobbs v. Jackson Women’s Health Organization overturned Roe v. Wade and Planned Parenthood v. Casey, which previously held that the Constitution prohibited states from banning abortion or unduly burdening access to abortion services during initial phases of pregnancy.  After the recent Dobbs ruling, states now have complete freedom to either allow or prohibit access to abortive care within their borders. At least 24 states have laws that can now be enforced barring abortion or imposing strenuous conditions.  Certain states (such as Oklahoma and Texas) now enable individuals to bring civil lawsuits against anyone who assists in the performance or inducement of abortion, including paying for or reimbursing the costs of the procedure through insurance or otherwise. We expect that this decision will also open the door for further state regulation regarding reproductive rights. In light of the Supreme Court’s decision, we recognize that some employers will want to continue to provide abortion-related benefits to their employees.  This Client Alert outlines various plan design options and other factors to consider. However, many of the issues surrounding these types of benefits remain open questions at this time. Legal challenges to these laws are already underway, and more are expected in the future. Action Steps As explained below, employers sponsoring group health plans should closely analyze any abortion benefit offered under their group health plans to ensure full compliance with applicable restrictions. Depending on the type of plan offered, employers may have some amount of discretion in enhancing or restricting coverage. Employers wishing to support employees seeking abortions through employee benefits may have to creatively examine alternative benefit structures if they find themselves in a state that prohibits abortion.  A review of non-benefit policies and practices may also be necessary to ensure a peaceful and productive working culture in this new “post-Roe” era. Group Health Plan Coverage How this change affects group health plan coverage offered by employers will be different depending on whether the plan is fully-insured or self-funded, as well as where the plan is issued, and where the employees work and reside. We recommend that employers carefully review their group health plans to understand what level of coverage for abortion is currently available. Also, to the extent an employer has employees in a state with particularly strong prohibitions on abortion, consultation with legal counsel is highly recommended. Fully-Insured Plans Insurance carriers will have to tailor fully-insured plans to provide coverage in accordance with applicable state law, based on the state where the policy is issued – not where the plan’s participants reside or work. Because some states will prohibit covering abortions (and other states will require such coverage), employers operating across several states may choose to obtain coverage from an insurer in the state that more closely reflects their desire to provide or restrict abortion coverage.  Of course, providing coverage for an abortion doesn’t necessarily mean that a participant may easily obtain abortive services if they live in a more restrictive state. Self-Funded Plans Because ERISA preempts state law, employers subject to ERISA offering self-funded health plans may largely ignore state insurance laws and choose whether or not to cover abortive services.  With that being said, there are a few caveats to consider before amending your plan: Non-ERISA employers (such as local government plan sponsors) will likely have to follow state laws and guidelines, much like fully-insured plan sponsors Self-funded plans carrying insured stop-loss coverage may experience carve-outs in those fully-insured re-insurance policies, as carriers will have to follow state law While ERISA plans do not have to follow state insurance laws, employers should carefully consider other state laws where their employees reside to understand if there is any other kind of potential risk. For instance, if a state imposes civil or criminal penalties on individuals or providers assisting with obtaining abortions, it is not yet clear whether such penalties could impact plans or plan sponsors covering abortive services. Alternative Benefit Strategies Employers with employees in states where abortion is illegal may consider different strategies to facilitate abortion access for employees and their dependents. Some employers are considering ways to cover the travel and lodging expenses relating to out-of-state abortions in lieu of actually covering abortive services, even though it is still unclear whether individuals can sue companies that cover travel expenses for legal out-of-state abortions.  What follows are descriptions of a few alternative strategies. Travel and Lodging Benefits through the Group Health Plan In a fully-insured plan, such benefits will be limited by the carrier’s policy and, in turn, affected by that state’s insurance laws.  In a self-funded plan, such travel benefits could be added.  However, remember that all benefits under a group health plan will be subject to ACA rules and Mental Health Parity rules, among other ERISA and IRS-related requirements, which could prove to be too restrictive in their own ways.  Careful analysis of the effects on plan administration and non-abortion benefits should be considered before choosing to cover travel and lodging under the group health plan. Health Reimbursement Arrangements (HRAs) Let’s say a fully-insured employer is prohibited from covering abortive services under state insurance laws.  Could that employer sponsor a stand-alone HRA to cover abortive services or the costs of travel to an abortion state? After all, an HRA is really just a self-funded health plan. Theoretically, yes, that might work.  A few words of caution: Remember that the HRA’s eligibility requirements must be tied to the group health plan or else it may not comply with ACA requirements. (Tangent: HRAs enjoy the status of being an excepted benefit if they are integrated with the group health plan; if they are not, they’ll be subject to the ACA’s annual limit requirements. And because an HRA is really just one big annual limit, compliance might not be possible). Understand that an HRA providing such coverage in conjunction with a High Deductible Health Plan could disqualify participants from being eligible to contribute to an HSA. Finally, under Section 213 of the Internal Revenue Code, the actual amounts an HRA may reimburse for travel and lodging expenses are limited to a relatively modest amount. Employee Assistance Plans (EAPs) It is possible to cover travel and lodging benefits under an EAP that is an excepted benefit, which would exempt those benefits from ACA requirements.  But to be an “excepted benefit,” the EAP: Cannot provide significant benefits in the nature of medical care or treatment, Cannot be coordinated with benefits under another group health plan, May not charge a premium, and May not require any cost-sharing contributions from participants. It is the subjective nature of the first requirement that may prove challenging to overcome.  Whether or not costly expenses related to abortion travel is considered “significant” may be too much of an unknown factor for an employer to risk taking on, as no plan sponsor wants to inadvertently turn their add-on EAP referral service in to a full-blown ACA-compliant health plan.  Employers considering this strategy will want to first consult with their EAP provider to determine potential viability. Taxable Compensation as a Means to Cover Abortion-related Costs The best way to stay clear of stringent IRS rules and burdensome ACA, ERISA and HIPAA laws is to simply give an employee more taxable cash. An employer could create a “wellness stipend” to provide taxable compensation to be used for abortion-related costs or to reimburse travel expenses in addition to other health-related expenses.  Since the benefit would be taxable, specific substantiation would not be required.  This might also serve the dual purpose of protecting the employer from the potential ramifications of a state civil or criminal penalty (if the employer truly didn’t know why an employee was receiving the benefit or how that employee was spending the money) while simultaneously ensuring an employee’s privacy. However, implementation could be tricky and inconsistent application of providing a stipend could appear discriminatory. Non-Benefit Employer Considerations In addition to health plan benefits, all employers will be wise to consider the impact of such a controversial decision on workplace culture and employee protections.  We strongly recommend that you work with your legal employment counsel and HR advisors to develop a checklist of policies and practices to review in accordance with federal, state and local laws.  While not exhaustive, the following are a few of the federal employment-related laws employers should begin to consider. Americans with Disabilities Act (ADA) Pregnancy alone is not considered a disability under the ADA.  However, a pregnancy-related impairment may be covered under the ADA from an accommodation standpoint. An employee seeking an abortion due to a disability may be entitled to take leave as an ADA-accommodation, unless such leave would result in an undue hardship to the employer. Family Medical Leave Act (FMLA) Employers (with 50 or more employees) covered under FMLA may have to provide protected leave for employees obtaining abortion-related care if their healthcare provider determines that they have a qualifying serious health condition.  When administering such leave requests, employers should remember to follow FMLA guidelines for obtaining certification and maintaining confidentiality of the employee’s medical information. National Labor Relations Act (NLRA) While employers can educate employees and coax their workforce toward creating a supportive and inclusive work environment, no employee can prohibit employees from talking with each other about the terms and conditions of their employment.  So, if an employer chooses to cover or not cover abortion-related services under their health plan, for instance, the NLRA provides employees with right to express their opinion to other employees about such a policy.  This protection extends to social media as well. Pregnancy Discrimination Act (PDA) The Pregnancy Discrimination Act protects women from being fired for having an abortion or contemplating having an abortion. It also prohibits adverse employment actions against an employee based on their decision not to have an abortion. The Act further covers reasonable accommodations for pregnant workers, but only if such accommodations are offered to other employees with similar situations.  Does this mean that the PDA would require an accommodation related to a pregnant employee obtaining an abortion?  While not totally clear, given the unprecedented nature of this situation, unpaid leave should be permitted for a pregnant employee to the same extent that other employees who are similar in their ability/inability to work are allowed to do so. This Client Alert is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice.

75% of commercial businesses are currently being underinsured by an average of 40% or more – per a recent CoreLogic statistic. Approximately 88% of total loss claims since the beginning of 2022 involved vehicles that were underinsured. Year to date, this is up from 53% underinsured in 2021, and only 33% underinsured in 2020. As the market for physical damage and commercial property insurance continues to face challenges— from premium increases to rapidly expanding demand— it’s crucial to keep in mind not only the factors contributing to these changes, but what steps your business can take to proactively address them. Underinsured values have become particularly prevalent, meaning motor carriers should take care to discuss vehicle and property values at the inception and renewal of their insurance, as well as throughout the course of their policy. Take a look at the key points below or contact a Cottingham & Butler representative to learn more. Physical Damage With most physical damage insurance policies written on the lesser of the stated amount or actual cash value, the dramatic increase in vehicle values and repair costs results in many vehicles being underinsured.  The end result is companies and individual Owner Operators involved in accidents where the truck is totaled, are not getting enough money to replace the totaled unit with similar equipment. The increase in the valuation of individual units is making current per location limits insufficient as well.  If you have a concentration of vehicles at an individual location, please review those limits for adequacy as well. Property With supply chain delays and costs of materials and labor increasing, it is likely that property values may be understated. Take a look at the price movement of building construction costs below, and note the enormous spike in costs for industrial and warehouse buildings. Be sure to proactively revisit your building values as well to ensure proper coverage upon renewal. Cargo Rising inflation has ultimately increased the cost of goods motor carriers are hauling. Review the index below, and be sure to review current per-load limits on cargo to be sure they’re all still adequate when compared to market increases. Contact a Cottingham & Butler representative today for assistance on any valuation questions or changes you may have.

If your company stores data and information digitally, you should have a cyber risk management program that addresses prevention, disclosure, crisis management and insurance coverage in the event of a data breach. Good cyber risk management requires the planning and execution of all 4 of these components. Develop Strategies to Prevent a Data Breach Your data breach prevention strategies may include encrypting all devices used by your employees, such as laptops, tablets and smartphones. Encrypting these devices will prevent unauthorized access if a device is lost or stolen. Unencrypted devices are often not covered by a cyber liability policy, so make sure you know whether you need to encrypt the devices or not. Your strategies may also include educating employees about phishing and pharming scams. Remind them not to click on anything that looks suspicious or seems too good to be true. Analyze your cyber risks from three different perspectives: technology, people and processes. Assessing these risks will give you a clear picture of potential holes in your security. Revisit and revise your plan regularly, because new risks arise often, sometimes even daily. Know Your Disclosure Responsibilities If you experience a data breach, you may be required to notify certain people. If your company is publicly traded, guidelines issued by the Securities and Exchange Commission (SEC) make it clear that you must report cyber security incidents to stockholders—even when your company is only at risk of an incident. The SEC advises timely, comprehensive and accurate disclosure about risks and events that would be important for an investor or client to know. It’s important to evaluate what information and how much detail should be released. Notifying a broad base when it is not required could cause unnecessary concern for those who have not been affected by the breach. Some extreme cases of a data breach may cause you to go further than just assessing and disclosing the information. You may have to destruct or alter data depending on its sensitivity. Have a Crisis Management and Response Plan Preparedness is key when developing your cyber risk management program. When you experience a data breach, you need to be prepared to respond quickly and appropriately. This is where your crisis management and response plan come into play. Determine when and how the breach occurred, what information was obtained and how many individuals were affected. Then assess the risks you face because of the data breach and how you will mitigate those risks. While managing a crisis, let your clients know what actions you are taking, but also be sure you’re not disclosing too much information. It’s a delicate balance. Focus on improving future actions—this will restore trust in your stakeholders and clients. Your in-house lawyers, risk managers and IT department should work together to create and refine your plan. Everyone should be on board and know their responsibilities when a breach happens. Protect Your Data—and Your Business Your cyber risk management program should include cyber liability insurance coverage that fits the needs of your business. Cyber liability insurance is specifically designed to address the risks that come with using modern technology—risks that other types of business liability coverage simply won’t cover. The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure. Your cyber liability insurance policy can be tailored to fit your unique situation and can be written to include the costs of disclosure after a data breach. Contact Cottingham & Butler to learn more about cyber liability insurance and how you can protect your business from a data breach.

Cyberattacks on global supply chains can cause irreparable harm to an organization’s operational, financial, and reputational wellness. These incidents can occur even if your organization is practicing proper cybersecurity methods. Instead of attacking your organization directly, these cybercriminals take advantage of vulnerable suppliers or vendors in your organization’s supply chain to wreak havoc on key operations and compromise essential data. Supply chain risk has increased dramatically in the last decade, as the internet has become a necessary element of various business operations. What’s more, third-party breaches can be costly, increasing the average cost of a data breach by $207,411. Still, research shows this risk is largely being overlooked. While it’s not possible to totally eliminate supply chain risk, there are several steps your organization can take to reduce your supply chain exposure. Review the following guidance to understand what factors increase your organization’s supply chain risk, how to mitigate them and what to do if your supply chain is compromised. Where Does Supply Chain Risk Come From? Supply chain risk can stem from a variety of parties and practices within your organization, such as: Third-party services or vendors with access to information systems Poor information security practices by suppliers Compromised organizational software or hardware Software security vulnerabilities in supply chain management or among third-party vendors Inadequate third-party data storage measures Every organization has at least two levels of suppliers. This includes directly contracted suppliers (Tier 1) and the companies that supply to them (Tier 2). Very few organizations review the risk of their Tier 2 suppliers, leaving them vulnerable to supply chain cyberattacks. What’s worse, supply chain risk can increase dramatically a few months into suppliers’ contract terms and may only continue to increase throughout these contracts if such Tier 2 suppliers are not properly vetted for potential cyber exposure concerns. What Factors Increase Supply Chain Risk? A wide range of factors have the potential to elevate your organization’s supply chain risks, including: Complacency or inability of your organization or its suppliers to monitor and assess cyber risk Any changes in your organization’s cyber risk tolerance The increasing severity and frequency of cyberattacks The increasing sophistication and boldness of cybercriminals In the event of a supply chain cyberattack, cybercriminals may attempt to overwhelm your organization’s networks and servers to disrupt normal business activities. They may also try to copy, rearrange or destroy vital company data. Whatever their intent, a cyberattack on your organization’s supply chain can be costly and time-consuming. Understanding Your Supply Chain Exposure There are several ways in which your organization can review its supply chain cyber exposure. Consider the following best practices: Create a vendor inventory of all third parties and consultants with access to your organization’s IT network or sensitive data. Use a cross-functional, legal, compliance and privacy team to assist your organization in assessing its supply chain risk. Communicate with your organization’s vendors about their specific cyber risks and what measures they have in place to mitigate these exposures. Review the cybersecurity policies and procedures in place within your organization and its suppliers for effectiveness. Assess your organization’s physical and online processes to determine potential gaps in cybersecurity. Identify critical systems, networks and information within your organization to better understand how this data could be compromised and what actions are necessary to protect such data. Decreasing Supply Chain Risk Fortunately, there are some steps that your organization can take to help decrease its supply chain cyber risk. Be sure to implement these precautions: Incorporate cyber risk management into vendor contracts. This can include requiring vendors to obtain cyber insurance, having them notify your organization after a cyber incident and establishing clear expectations regarding the destruction of data following the termination of your contracts. Minimize access that third parties have to your organization’s data. Once a vendor or supplier has been chosen, work with them to address vulnerabilities and cybersecurity gaps. Monitor suppliers’ compliance to supply chain risk management procedures. Consider adopting a “one strike and you’re out” policy with suppliers that experience cyber incidents or fail to meet compliance guidelines. How to Respond to a Compromised Supply Chain If your organization’s supply chain becomes compromised or exploited by cybercriminals, follow these response measures to mitigate the damages and prevent future incidents: Mitigate first. This could include patching or upgrading software systems, disabling internet access, or moving applications behind firewalls. Contact your insurer immediately. Make sure to reach out to your insurer as soon as the incident occurs. Give them as much information as possible to help kickstart the claim process. Engage legal counsel. Consult your organization’s trusted legal professionals for additional guidance on adopting an appropriate response to the incident—such as whether to contact law enforcement or inform stakeholders. Enlist forensic expertise. Have forensic experts work with your organization to investigate the incident. These experts can help identify the perpetrator(s), determine potential cybersecurity gaps that led to the incident and offer tips for preventing similar supply chain concerns going forward.

The rates of Salmonella illness in the US have been a vexing challenge for many years. Despite setting goals for Salmonella reduction, the number of cases has remained stubbornly high. While a lot has been done to focus on. Salmonella in recent years, it has been a challenge on many fronts to drive the numbers down. Tackling the Persistent Challenge of Salmonella Contamination Salmonella is a problem that impacts both FDA and USDA-regulated food products but has recently become a major focus for USDA. As detailed in a 2014 GAO Report to Congress, USDA has taken several actions since 2006 to reduce contamination from Salmonella in poultry products: They reduced allowable Salmonella contamination in young poultry carcasses; developed an action plan to prioritize actions to reduce Salmonella; and published a final rule in August 2014 to modernize poultry slaughter inspections. Despite those actions, the September 2014 report was not only entitled USDA Needs to Strengthen Its Approach to Protecting Human Health from Pathogens in Poultry Products, it stated “Poultry products contaminated with pathogens cause more deaths than any other commodity.” Fast forward seven years later to October 2021, and little seems to have changed, with CDC estimating that Salmonella still causes more foodborne illnesses than any other bacteria (about 1.35 million infections, 26,500 hospitalizations, and 420 deaths in the U.S. every year), and it is estimated that over 23% of those illnesses are due to consumption of chicken and turkey. In an October press release, USDA itself conceded that: “Far too many consumers become ill every year from poultry contaminated by Salmonella”; and “Time has shown that our current policies are not moving us closer to our public health goal. It’s time to rethink our approach.” And this was after issuing the Guideline for Controlling Salmonella in Raw Poultry in July to help poultry establishments identify and implement pre- and post-harvest interventions to control Salmonella as part of their HACCP system and utilize microbial testing results to monitor the performance of the HACCP system and inform decision-making. Action Taken by the USDA So USDA is at it again: “mobilizing a stronger, and more comprehensive effort to reduce Salmonella illnesses associated with poultry products.” Intending to drive the industry closer to the national target of a 25% reduction in Salmonella illnesses, USDA has (again) set reducing Salmonella infections attributable to poultry as one of its top priorities. Included in its action items are: Seek stakeholder feedback on specific Salmonella control and measurement strategies, including pilot projects, in poultry slaughter and processing establishments. Encourage preharvest controls to reduce Salmonella contamination coming into the slaughterhouse. Consult with the National Advisory Committee for Microbiological Criteria in Foods for building on the latest science. Examine how quantification can be incorporated into its approach. Focus on the Salmonella serotypes and the virulence factors that pose the greatest public health risk. While it seems that USDA has been attempting to reduce Salmonella since the turn of the century (because it has been nearly that long), it is not just the U.S. that is contending with the issue. Salmonella has become a major cause of foodborne infection outbreaks worldwide with estimates of 93.8 million cases of non-typhoidal Salmonellosis and 155,000 deaths occurring every year in the world; 86% of these illnesses due to the consumption of Salmonella-contaminated food items. The most common serotype is enteritidis, especially in Europe, where it accounts for 85% of Salmonella cases, Asia (38%), and Latin America and the Caribbean (31%). Both the Center for Science in the Public Interest and a prominent plaintiff attorney have submitted petitions to USDA pointing out the importance of declaring specific Salmonella serotypes adulterants. So far USDA has not moved in that direction but likely they are heading that way. The recent announcement from USDA around Salmonella reduction is a cry that has been made before – so what is different this time? My view is that some members of the poultry industry have done a great deal to reduce Salmonella and have focused heavily, and appropriately, on the live side of the operation. After all, the greater the load of Salmonella that arrives on the birds, the harder it is to control it during processing. Time will tell where USDA goes this time; and at this point, they appear to be embarking on asking for data and pursuing more science. But as that process moves along, it would be wise for the poultry industry to continue to look at ways to mitigate Salmonella to the greatest extent possible. TAG and the dedicated Food & Agribusiness team at Cottingham & Butler work closely together to provide practical and cost-effective solutions and develop insurance programs based on the customized needs and goals of food and agribusiness clients throughout the world. We work together to strategically develop risk transfer (contractual and insurance) programs built to retain and/or backstop risk per the tolerance of each company. Risk mitigation is a core competency of both organizations and drives resiliency in the individual businesses and broader portfolio. The aforementioned article was an adaptation of an article published by TAG.

Preventing cyberattacks has become a pressing matter for employers across the globe, but especially for those in the United States. According to the Identity Theft Resource Center, the number of reported U.S. data breaches rose 68% between 2020 and 2021, increasing to a record-setting 1,862 incidents. Of these breaches, 83% involved sensitive information, such as Social Security numbers. These breaches targeted various organizations and industries, including those in manufacturing, utility services, and finance. Essentially, any business that retains potentially valuable information could be a target; cybercriminals are frequently looking for the personal information of everyday citizens to sell or use to gain access to other systems. Oftentimes, cybercriminals breach organizations via their employees; all it takes is one employee clicking into a phishing email (i.e., a fraudulent message intended to trick recipients into compromising important data). This is where HR comes in. HR teams are often tasked with communicating policy updates and workplace expectations. When it comes to cybersecurity, HR is naturally suited to partner with IT and provide basic educational resources. This article offers tips to help HR teams in preventing cyberattacks and protecting employees and their organizations. Understand the Risks & Have a Backup Plan While it’s true that cybercriminals frequently target individuals’ personal information, that’s not their only goal. Sometimes, malicious actors will then take that personal information and use it to gain access to other secure points—potentially affecting other systems beyond the breached organization itself. For instance, a cybercriminal may steal an employee’s login and password, then use those details to access customer databases or even critical infrastructure. A recent example of this came in 2021 when cybercriminals took down Kronos, the ubiquitous timekeeping software. With the cloud-based system down globally, employees couldn’t clock in or out—time punches were simply inaccessible. This proved very disruptive for payroll and time tracking. Yet, the larger takeaway is that even if an employer does everything right, they can still be impacted if a vendor experiences a cybersecurity breach. That’s why HR teams need to think about the vendors and systems they rely upon when preventing cyberattacks. These systems may include timekeeping software, case management software or learning management systems. Consider what would happen if any one of those tools stopped working or became inaccessible. How would that impact operations? Considering these potential scenarios can help HR teams better strategize their responses. For instance, if timekeeping software were to break down, perhaps employees would be required to use an HR-provided paper form to track their time. Additionally, with the vulnerability of cloud-based systems, HR teams can think about regularly backing up and archiving critical information, including customer details, time-tracking data or transaction receipts. Essentially, if a vendor system breaks down, HR still needs to ensure day-to-day operations can run smoothly. Develop Cyber Training and Contingency Plans Preparation is key in preventing cyberattacks. This primarily entails ensuring monitoring and security measures are in place to prevent breaches and detect when they occur. While this preparation is a responsibility for IT, HR teams can partner with them to help contribute to cybersecurity in their own way: employee training and contingency planning. Every employee in an organization should be trained on proper cybersecurity protocols and best practices. This includes knowing how to spot a phishing scam, maintaining strong passwords, using unique passwords for different logins and reporting suspicious database activity. While HR teams likely aren’t comprised of IT experts, they can still help disseminate these and other cybersecurity best practices to employees. Even basic precautions can make a huge difference in protecting against breaches of critical data. However, not every breach is preventable, nor are all breaches the same. It’s one thing for a cybercriminal to get a list of first names; it’s another thing for them to steal both names and Social Security numbers. Moreover, employers can still have their data compromised even if they take all the right steps. After all, a breach may occur at a third-party vendor, a situation over which employers have no control. This means it’s also vital for HR teams to strategize about cyberattack contingency plans. Essentially, these plans can help employers make sense of a data breach once it occurs and kick off the recovery process. Generally, a cyberattack contingency (or response) plan should cover the following aspects: What data has been impacted? How sensitive was the data (i.e., does the breached data include addresses, Social Security numbers or banking information)? What is the employer’s obligation to report the data breach (i.e., sometimes customers, employees, the government or all the above need to be notified)? Based on the type of data breach, how quickly must the incident be reported to applicable parties? Depending on an employer’s state and industry, the answers to these questions will vary. That’s why it’s essential to address these issues in a cyberattack contingency plan before a breach occurs. Employers should speak with legal counsel for help understanding their coverage risks. Click here to learn more about Cottingham & Butler’s free Cyber Security Diagnostic Assess a Breach and Be Responsive to Employees If and when a data breach occurs, HR teams must stay calm, as employees will be looking to them for messaging and next steps. HR will need to respond to employee concerns about the compromised data; other teams will likely address external messaging while HR focuses internally. More specifically, a data breach that affects an organization almost certainly will affect its employees, even if the compromised data seems unrelated to staff. That’s because employee credentials are often stolen to access larger databases. While employee credentials may not be the intended target of a breach, they can still get swept up during the cyberattack along with other pieces of personal data. In other words, regardless of the type of data breach or its scope, employees may have concerns about their own information when one occurs. Therefore, HR teams should be ready to field employee questions related to a breach and have meaningful response measures in place. For instance, if employee data is compromised (potentially or actually), employers may provide free identity theft protection or credit activity monitoring services to their staff. Conclusion Cyberattacks aren’t going away anytime soon. They’re likely to increase. According to the Identity Theft Resource Center, ransomware-related cyberattacks have doubled during each of the last two-year periods. This means now is the time for employers and HR teams to prepare for eventual cyberattacks by training employees and solidifying contingency plans. For more information, reach out to a Cottingham & Butler representative today.