Blog - Tag: Measured Risk Insurance Services
Expensive Litigation Is Driving Insurance Costs
Soaring court judgments and jury awards are pushing up the cost of commercial liability and umbrella insurance policies, particularly for businesses that have been sued before.
There are a number of factors at play, including massive “nuclear” jury awards for tens of millions of dollars, private equity-backed lawsuits and a phenomenon known as “social inflation” — when the costs of jury awards increase faster than the cost of living.
A 2024 A.M. Best report found that social inflation and large verdicts verdicts mostly affect commercial auto, professional liability, product liability and directors and officers liability insurance.
Policyholders are also facing more restrictive general liability coverage as insurers continue to reduce their exposure.
What’s happening
A 2024 study by reinsurance company Swiss Re found that social inflation had increased liability claims by 57% over the previous decade. The increase in 2023 alone was 7%. Another study showed that over a five-year period, the top 50 insurers in the U.S. had allocated half a billion dollars for litigation expenses.
The Insurance Information Institute in early 2024 pointed to legal-system abuse as a leading reason for auto insurance companies losing money to the tune of $1.10 for every $1 in premium.
“As dangerous roads and driving conditions as well as economic costs have been on the rise for several years,” the institute wrote, “the challenges presented by overzealous billboard attorneys are exacerbating the situation.”
Adding fuel to the fire is the increase in “nuclear verdicts” — when a jury awards damages of more than $10 million.
Fears of verdicts this large have encouraged businesses and their insurers to settle claims rather than fight them, leading to higher costs.
Lawsuits have also become investment vehicles. Private equity firms are funding lawsuits against businesses in return for a share of any awarded damages or settlements.
Recent ‘nuclear’ jury awards
- In 2021, a Florida jury awarded a landmark $1 billion verdict to next of kin of a motorist who was killed after a driver for Kahkashan Transportation Inc. was on his cell phone when he flipped his semi truck, plowing into the man’s vehicle.
- A Philadelphia jury in May 2024 ordered Exxon Mobil to pay $725 million to a service station mechanic who developed cancer after being exposed to benzene in gasoline.
- In June 2024, a California jury ordered entertainment mogul Alki David to pay $900 million to a former worker who had accused him of sexual battery.
What you can do
You business can reduce your chances of getting sued by:
- Focusing on risk management,
- Ensuring you hire good drivers and provide training that focuses on reducing risks of distracted driving,
- Preventing workplace discrimination and harassment,
- Maintaining clear and detailed documentation,
- Implementing sound business practices,
- Training employees on legal compliance, and
- Having clear contracts.
You can work with your insurance companies both on loss prevention and managing claims for losses that do occur. Finally, work with us to ensure that you have liability policy limits that are realistic in today’s world.
A New Cyber Security Threat Businesses Cannot Ignore
An allegedly Chinese state-sponsored hacker campaign dubbed “Salt Typhoon” has infiltrated major cell phone providers, including AT&T and Verizon, potentially exposing your company’s communications to threat actors.
The attack has been described as the most significant telecommunications hack in U.S. history. While the breach is alarming for individuals, the implications for businesses are profound and demand immediate attention.
What is Salt Typhoon?
Salt Typhoon is a sophisticated cyber-espionage operation allegedly orchestrated by the Chinese government. The campaign has targeted vulnerabilities in telecom providers’ infrastructure to access text messages, monitor communications and extract sensitive metadata.
The ongoing breach has affected at least eight major U.S. telecom companies and poses a severe threat to national security and corporate privacy.
Potential dangers to businesses
- Exposure of sensitive informationText messages often contain business-critical details, such as contracts, client discussions, or even login credentials. If these communications are intercepted, companies risk financial loss, reputational damage and legal consequences.
- Corporate espionage
Competitors or foreign entities gaining access to a company’s internal strategies could result in lost market advantages or intellectual property theft.
- Regulatory and legal repercussions
Many industries are subject to strict data protection laws. A breach exposing customer or employee information could lead to fines and legal actions under regulations such as GDPR or CCPA.
- Erosion of trust
Business partners and clients may lose confidence in a company’s ability to safeguard information, leading to strained relationships and loss of business opportunities.
Government warning
In response to the Salt Typhoon campaign, the U.S. government issued strong recommendations for using end-to-end encrypted communication platforms.
Unlike standard text messaging or phone calls, end-to-end encryption ensures that only the sender and recipient can read the messages, preventing interception even if a network is compromised.
Apps like WhatsApp and Signal, and corporate platforms such as Microsoft eams and Zoom with encryption features have been singled out as secure alternatives. In contrast, traditional SMS and non-encrypted messaging services remain vulnerable.
For businesses, adopting these recommendations is a necessity. The FBI and the Cybersecurity and Infrastructure Security Agency have emphasized that sensitive communications must migrate to encrypted platforms to mitigate risks from ongoing cyber threats.
Protecting your firm
Protecting your business from the fallout of attacks like Salt Typhoon requires a multi-layered approach. Here are some critical steps:
- Use encrypted messaging: In light of the official recommendations above, shift all internal and external communications to end-to-end encrypted platforms such as Signal or WhatsApp, or enterprise solutions with encryption features.
- Eliminate SMS-based authentication: Avoid using text-based, one-time passwords for authentication; instead, deploy hardware security keys or app-based authenticators.
- Update systems regularly: Ensure all devices and software are updated to patch known vulnerabilities.
- Train employees: Conduct regular cyber-security training to educate employees about phishing, secure communications and device management.
- Limit data access: Implement least-privilege access controls to restrict sensitive data to only those who need it.
- Conduct security audits: Regularly audit your infrastructure for vulnerabilities. Engage third party experts to perform penetration tests and simulate attacks to identify and address weak points.
Finally, you should have in place a robust cyber-insurance policy, which can help mitigate the financial impact of a breach. A comprehensive policy should cover:
- Forensic investigations
- System remediation and restoration
- Legal and regulatory compliance
- Business interruption losses.
Top 10 laws for 2025
With 2025 now upon us, so is a slew of new laws and regulations that will affect California businesses.
Every year, laws passed by the state Legislature and signed into law by the governor take effect, and 2024 was a busy legislative session in Sacramento. The end result is another round of new legislation that California employers need to stay on top of.
This item is the first of two parts, highlighting the top 10 laws and regulations affecting California businesses in 2025.
1. ‘Captive audience’ meetings barred
Starting Jan. 1, California employers are prohibited from requiring employees to attend “captive audience” meetings where the employer shares its opinions on political or religious matters.
This includes topics such as unionization, legislation, elections or religious affiliations. Under the new law, SB 399, employees who choose not to attend must still be paid for their regular work time during these meetings.
Employers are also barred from retaliating, discriminating or taking any adverse action against employees who opt out.
The law applies broadly to most employers, but does include some exceptions, including religious organizations, political organizations and educational institutions providing relevant coursework. The law also allows for required communications or training mandated under laws related to workplace safety, civil rights or job performance.
Employers who violate SB 399 could face significant consequences, including a civil penalty of $500 per employee, per violation. Workers who believe their rights were violated can file a complaint with the Labor Commissioner, seek injunctive relief (a court order to stop the violation), and potentially claim additional damages through civil lawsuits.
2. ‘Egregious‘ offenders
Cal/OSHA is working on new rules that would crack down and step up enforcement and penalties against California employers that commit “egregious” and “enterprise-wide” workplace safety violations.
The forthcoming rules, expected to take effect this year, would impose substantial penalties on companies that have “shown a disregard towards California workplace safety regulations and the well-being of their employees.”
A business cited for an egregious violation could be fined up to $158,000 “per instance,” meaning it can be applied for each employee exposed to the violation and across multiple locations.
Violations that could be considered “egregious” include, but are not limited to, the following:
- The employer, intentionally, through conscious, voluntary action or inaction, made no reasonable effort to eliminate the known violation.
- The employer has a history of one or more serious, repeat or willful violations, or more than 20 general or regulatory violations per 100 employees.
- The employer intentionally disregarded its health and safety responsibilities, such as by failing to maintain an effective Injury and Illness Program or ignoring safety and health hazards.
3. Expanded paid sick leave
Two bills have expanded the use of paid sick leave.
The more far-reaching measure, AB 2499, expands current state law that allows employees who are victims of crime or abuse to take time off for court appearances, treatment and various other reasons.
The new measure also expands the use of paid sick leave to cover certain “safe time” absences for issues like:
- Domestic violence,
- Sexual assault,
- Stalking, or
- An act, conduct or pattern of conduct that includes:
- An individual causes bodily injury or death to another.
- An individual exhibits, draws, brandishes or uses a firearm or other dangerous weapon, with respect to another.
- An individual uses or makes a reasonably perceived or actual threat of use of force against another to cause physical injury or death.
AB 2499 also permits workers to take time off to help family members who are victims of a crime.
The law protects workers from the threat of discrimination or retaliation for requesting or taking the time off. Under the new law, employees can use vacation, personal leave, paid sick leave, or compensatory time off that is available to them for safe-time absences. It applies to workplaces with 25 or more staff.
The second measure, SB 1105, allows agricultural workers to use accrued paid sick leave to avoid smoke, heat or flooding conditions created by a local or state emergency, like a heatwave, wildfire or flooding.
The measure states that this is a clarification that existing law allows workers to take sick days for preventive care.
4. Freelance Worker Protection Act
Starting this year, California’s Freelance Worker Protection Act imposes new requirements on businesses hiring freelance workers for professional services worth $250 or more.
The law requires employers to provide freelancers with a written contract outlining key details, including the services provided, payment amounts and deadlines for compensation. If no payment date is specified in the contract, freelancers must be paid no later than 30 days after completing their work.
Businesses cannot require freelancers to accept less pay than agreed upon or provide additional services after work has begun as a condition for timely payment.
Importantly, the law also prohibits retaliation against freelancers who assert their rights, such as raising complaints about violations or seeking enforcement of the law.
Noncompliance can lead to significant penalties. If a written contract is not provided, employers may face a $1,000 penalty.
Late payments can result in damages up to twice the amount owed, while other violations may require businesses to pay damages equal to the value of the contract or the work performed — whichever is greater. Freelancers can also file lawsuits to recover unpaid amounts and seek attorney’s fees.
5. Indoor heat illness
These new requirements actually took effect at the end of last summer, so 2025 is the first full year they’ve been in effect.
Cal/OSHA’s indoor heat illness prevention rules require employers to protect workers in indoor workplaces when temperatures reach 82 degrees Fahrenheit or higher. These regulations apply to most indoor settings, but will mainly affect restaurants, warehouses and manufacturing facilities.
At 82 degrees, employers must ensure workers have cool, potable water nearby and access to a cool-down area where temperatures remain below 82 degrees. Workers should be encouraged to take rest breaks to prevent heat-related illness, and monitored for symptoms during these breaks. If clothing restricts heat removal or radiant heat sources are present, these measures apply immediately.
At 87 degrees, employers must take additional steps, when feasible, such as cooling work areas, providing personal heat-protective equipment and implementing work-rest schedules.
Affected employers should evaluate options like installing air conditioning to maintain safe temperatures. While this is feasible for smaller spaces, larger facilities like warehouses may require alternative compliance strategies.
6. PAGA reform
In July 2024, Gov. Newsom signed into law two measures aimed at curbing rampant abuse of the Private Attorney General Act, which has become a costly thorn in the side of businesses in California.
PAGA allows workers who allege they have suffered labor violations, like unpaid overtime or being denied mandatory meal and rest breaks, to file suit against their employers rather than take the more typical route of filing a claim with the state Department of Labor Standards Enforcement.
The new laws aim to reward employers with reduced penalties if they address in good faith issues raised by an employee.
For example, the reforms cap the assessment at 15% of the available penalty for employers that take immediate and proactive steps to bring themselves into compliance with California Labor Code. Employers that take “reasonable” steps to address issues within 60 days of receiving a PAGA notice would face a maximum penalty of 30% of the available penalty under the law.
The new PAGA also requires a worker to personally experience violations alleged in a claim if they want to bring action. It also increases workers’ share of awards to 35%, from 25%. The rest of the funds go to the Labor & Workforce Development Agency.
However, legal pundits predict the changes won’t reduce the amount of PAGA lawsuits being filed in the state.
7. Family leave change
A new law, AB 2123, bars employers from requiring that workers who plan to take time off under the state’s Paid Family Leave Program first take up two weeks of accrued vacation time before benefits kick in.
8. Driver’s license queries
Starting in 2025, employers are barred from listing in help-wanted ads and job applications that having a driver license is a prerequisite for a job, unless the employer:
- Reasonably expects that driving will be part of the job, and
- Reasonably believes that allowing the employee to use alternative forms of transportation (including ride-sharing, taxi or bicycle) would take more time or require the business to incur higher costs.
9. Poster updates
Employers have to update two mandatory work posters this year.
The standard poster that informs employees about their rights under workers’ compensation laws, needs to be updated. The new poster must include language stating that employees may consult with an attorney for advice about workers’ comp law and that they may have to pay attorneys’ fees if they hire a lawyer as part of their claim.
Also, businesses are required to post an updated paid leave law notice to reflect the changes ushered in by AB 2499, the paid leave law for crime and abuse victims discussed above.
10. Minimum wage
California’s minimum wage increased to $16.50 an hour on Jan. 1. This rate is for all areas of the state, except for those jurisdictions that have implemented their own minimum wage to reflect the higher cost of living in their area.
Employee Surveillance Doesn’t Boost Productivity, but Breeds Resentment: Study
As more people have been working remotely over the last few years, some employers have turned to employee-tracking software to ensure that these staff are working while on the clock, and to boost productivity.
Tools like activity monitors and locations trackers, however, do not actually increase productivity and they can instead cause a backlash among workers, affecting job satisfaction and stress levels, according to a new poll.
Additionally, 26% of tracked employees said they distrust their employer and half of them feel pressured to work more hours, the survey by review website Software Finder found.
These findings cast doubt on the effectiveness of remote-employee monitoring and tracking, in light of the fact that one in four remote or hybrid workers are tracked.
What employers are tracking
Companies are mostly tracking workers to ensure they are staying productive and working their schedules. They employ a myriad of methods, including:
- Time-tracking software — Helps monitor when employees log in and out of work systems, and how they distribute their time across tasks.
- Screen monitoring — Offers real-time insights into employees’ screen activities, providing a glimpse into their work habits and efficiency.
- Keystroke logging — Tracks every keypress, offering data on productivity and potential security risks.
- Communication monitoring — Analyzes team messaging platforms to understand communication patterns, collaboration and information sharing.
Some employers also track a worker’s company-issued phone and computer locations.
Employee resentment
The survey found that:
- 53% of employees believe it’s a privacy violation for employers to track their activity.
- Three in four employees believe it’s a privacy violation for employers to track their location.
- 64% of untracked employees would recommend their company to others, while 58% of tracked staff would do the same.
- 36% of employees whose activity is tracked are currently looking for a new job, compared to just 18% of those who are not tracked.
Some employees have gotten wise and try to thwart software that tracks mouse movements by using “mouse jiggling,” a device or software that mimics mouse movement, or other software.
This prevents tracking software from detecting inactivity and makes employees appear active when they aren’t. The survey found that 17% of workers use mouse jiggling and that 12% don’t, but want to.
What you can do
All of the above said, remote-worker tracking can be a good thing if it’s implemented with care.
Insightful.com has this advice for companies that aim to track their employees’ work:
- Don’t track remote workers’ time outside work hours.
- Don’t install monitoring software on their personal devices.
- Don’t track remote workers without consent.
- Don’t use data to micromanage your employees.
- Don’t ignore signs of burnout in your staff.
If you do plan to implement tracking, it is important that you are transparent about the process. The review website recommends the following:
Set standards for remote staff. Make sure they are treated equally and entitled to the same break schedules and hours as their peers. Also, if you allow your office workers to chat with one another around the water cooler, you should allow the same deference to your remote workers who log into a social media account for a few minutes.
Encourage staff to raise questions/concerns. If you are implementing remote-employee monitoring, your staff will have many questions and concerns. It’s important that you keep an open line of communication with those who may feel that their privacy is being invaded.
Be transparent about the implementation of monitoring software, and cover the program in meetings with your staff and address their concerns.
After you’ve started using tracking software, you should hold a few meetings a year to check in with your workers about issues they may have. This will give you the chance to also adjust your tracking metrics.
Train remote employees. Your workers, supervisors and managers should know how to use the software properly and be familiar with its features and understand why it’s being used.
Spike in Pregnant Workers Fairness Act Lawsuits Alarms Employers
Since the Pregnant Workers Fairness Act took effect in June 2023, there’s been a huge spike in lawsuits against employers alleging failure to reasonably accommodate workers covered by the landmark legislation.
In the first 11 months following enactment of the law, the Equal Employment Opportunity Commission received 1,869 complaints from workers who allege their employer failed to provide them with reasonable accommodation under the PWFA, according to an article in Business Insurance, a trade publication.
As a result, the EEOC has taken action and between Sept. 10 and Oct. 11, 2024 it initiated four federal lawsuits against companies over alleged violations of the law.
The recent activity should be a wake-up call to employers to put as much effort into complying with this new law as they do the Americans with Disabilities Act, which is similar to the PWFA in that it requires employers to initiate an interactive process with a worker who seeks reasonable accommodations under the act.
The law
Essentially, the PWFA requires employers to make reasonable accommodation for workers covered by the act if they request it, particularly if they are temporarily unable to perform one or more essential functions of their job due to issues related to their pregnancy or recent childbirth.
Reasonable is defined as not creating an “undue hardship” on the employer. Temporary is defined as lasting for a limited time, and a condition that may extend beyond “the near future.” With most pregnancies lasting 40 weeks, that time frame would be considered the near future.
What‘s required
The law requires employers, absent undue hardship, to accommodate job applicants’ and employees’ “physical or mental condition related to, affected by, or arising out of pregnancy, childbirth, or related medical conditions.”
The condition does not need to meet the ADA’s definition of disability and the condition can be temporary, “modest, minor and/or episodic.”
The PWFA covers a wide range of issues beyond just a current pregnancy, including:
- Past and potential pregnancies,
- Lactation,
- Contraception use,
- Menstruation,
- Infertility and fertility treatment,
- Miscarriage,
- Stillbirth, and
- Abortion.
What’s a ‘reasonable accommodation‘
The law’s definition of reasonable accommodation is similar to that of the ADA. The regulation lays out four “predictable assessments,” which would not be an undue hardship in “virtually all cases.” These would allow an employee to:
- Carry or keep water nearby and drink, as needed;
- Take additional restroom breaks, as needed;
- Sit if the work requires standing, or stand if it requires sitting, as needed; and
- Take breaks to eat and drink, as needed.
The takeaway
The PWFA poses a significant employment liability risk for employers since it’s a new law and supervisors and managers may not be aware of it.
Employers will need to ensure that they properly handle and respond to accommodation requests under the PWFA.
To ensure compliance, you should ensure that personnel who are responsible for handling accommodation requests under the ADA are also trained in how to respond to requests under the PWFA.
As well, you should ensure that you have in place a robust employment practices liability insurance policy that may help cover the costs of any lawsuits filed under the act.
Insurance companies that underwrite these policies may also ask targeted questions in applications forms on how a business handles PWFA accommodation requests and whether the responsible employees have been trained in its application.
Companies that don’t have policies in place may instead get a policy that contains an exclusion for PWFA accommodation claims.
The Holidays Have Their Own Workplace Perils
On-the-job accidents may increase during the holidays as distractions in the workplace increase and decorations can pose safety issues.
Normal routines and schedules are disrupted, and your staff — like everyone else — are also rushing around to crowded and chaotic stores and malls after work and on weekends.
Be aware that accidents may be more likely to happen at this time of the year at the workplace, on the road or at home. Employees tend to take extra physical risks ― such as when hanging lights and lugging trees around. And if you hold a holiday party, it opens up a new set of potential liabilities.
In-office safety
When planning decorations for the office, it is important to keep holiday safety in mind.
Decorating the office helps workers enjoy the spirit of the season together, but remember that proper safety precautions should be observed at all times:
- Be mindful of potential fire hazards when selecting holiday decorations and where you place them.
- Be careful of stapling holiday lights, do not add too many strings of lights and make sure illuminated items are turned off.
- Verify that all fire extinguishers are in place and fully charged and accessible.
- Do not block exits, hang decorations on fire extinguishers, fire alarms or fire hose boxes, or obstruct the view of exit signs.
- Do not hang decorations from sprinkler heads or electrical panels.
- Without proper planning, holiday decorations can create tripping hazards. Extension cords should not be run through traffic areas where they pose trip hazards and, if you have to use an extension cord, use the proper one.
- Avoid placing trees, freestanding decorations and presents in traffic areas.
Holiday party
The holidays bring office parties and, if alcohol is being served, keep in mind the liability involved.
Provide plenty of alternatives to alcohol, such as soft drinks, coffee, tea, water and cocoa. Hire a professional bartender who can cut people off if they have too much.
Enforce the same workplace rules of etiquette at the party as you do in the workplace.
If you serve alcohol, also serve food.
Stop serving alcohol a few hours before the party ends. Offer to cover the cost of an Uber or Lyft ride home for anyone who needs it.
The takeaway
If you keep in mind that the holidays put extra pressure on everyone, it may help you to keep your workplace free of accidents.
By following a few simple safety tips, it will be easy to enjoy the holiday and the events at work without dealing with injuries or damage to property.
When planning for the holidays, incorporate safety precautions into the planning process.
Legal Traps to Avoid When Dealing with FMLA Requests
When employee files a federal Family and Medical Leave Act request to either deal with a health issue or care for a loved one, their employer is often put in a tight spot, particularly if the person serves a vital role in their organization.
There are also a number of rules that employers need to follow to avoid running afoul of the law and there are plenty who have been sued for it, a prospect that can be costly.
If you are confused about navigating the FMLA, here’s a handy list of mistakes to avoid.
Firing – It would be a bad idea to fire an employee if they’re unable to return to work following the end of FMLA leave that is due to their serious health condition. Better to find out if the employee is entitled to any additional time off under employment laws or through company policies.
The Americans with Disabilities Act (ADA) may consider granting of additional leave “reasonable accommodation,” in legal terms.
That definition comes from determining whether the employee’s condition is a disability. Under the ADA, most serious health conditions as defined by the FMLA are considered disabilities. If you’re in doubt, ask your legal counsel for advice.
Then you have to figure out whether the requested time off is legally considered “reasonable.” Under the ADA, you as an employer don’t have to grant leave as an accommodation if it poses “hardship” or “undue hardship” to your organization.
Miscalculation – You are able to calculate FMLA leave by either calendar year, any fixed 12-month period, or the 12 months measured forward from when an employee’s FMLA leave begins. It can also be calculated backward from a 12-month period from the date an employee uses the leave.
Deadlines – Meeting FMLA deadlines for processing requests for leave under its guidelines is critical. Within five business days of learning an employee has requested FMLA leave, you must provide them with the “Notice of Eligibility Rights and Responsibilities Form,” or something similar that your company has prepared.
Next, if you require the employee to file a certification form, you must allow them 15 calendar days to do so. Then, within five business days of receiving the certification form, you must provide the employee with an FMLA designation form that tells them whether the request has been approved.
But if the certification form is incomplete or insufficient, you then must allow the worker seven calendar days to make necessary corrections. You must give written notice to employees of all deadlines, and the consequences of failing to meet them.
Reassignment – If you want to reassign an employee on FMLA leave for better efficiency, you can only do so for employees who need intermittent or reduced schedule leave.
Reassignments can be done for the employee, family or covered service member if such leaves are a planned medical treatment, a period of recovery from a serious health condition, or due to the birth of a child or placement of a child into adoption or foster care. Beyond that, the reassignment is to be only as long as is required by the leave period.
You are also prohibited from transferring employees to a position to discourage them from taking FMLA leave. That means you can’t demote them from marketing supervisor to customer service rep, even if their pay and benefits remain the same at the reassigned position.
Meanwhile, you may not require a transfer to another job when the employee’s need for an intermittent or reduced schedule is unforeseeable.
The takeaway
As you can see, the FMLA is a veritable minefield for employers and, if an employee requests leave under the law, you must make sure you don’t do anything to infringe on their rights, lest you open your organization to being sued.
Business Interruption the Fastest-Growing Cyberattack Cost
A new study has found that the fastest-growing cost associated with cyber incidents is business interruption, reinforcing the need for businesses to have in place robust response and data restoration measures, particularly after a ransomware attack.
Between 2019 and 2023, the average cyber insurance claim that involved business interruption ended up costing 450% more than claims that had no lost income, according to the 2024 NetDiligence Cyber Claims Study.”
Business interruption can occur if a cyberattack like ransomware fully or partially disables a company’s operations or if a vendor suffers a cyberattack that forces the client company to suffer a loss or inability to operate.
The latter, known as “contingent business interruption,” can occur if a cyberattack cripples a supplier’s factory from producing a part that’s crucial for another company’s production operation.
The study also found that if business interruption is involved, the cost of all parts of a claim, such as crisis services and recovery costs, also increase.
For claims with no business interruption losses, the average cost of a cyber claim for small and mid-sized enterprises (SMEs) between 2019 and 2023 was as follows:
- Crisis services: $96,000
- Regulatory and legal: $24,000
- Total incident cost: $205,000
However, for SME claims with a business interruption component during the same period, average costs were*:
- Business interruption: $487,000.
- Crisis services: $279,000
- Recovery expense: $115,000
- Total incident cost: $995,000
* There was no information on regulatory and legal costs for these types of claims.
For large companies, the average business interruption cost was $26 million, with total incident costs averaging $36 million in 2019-2023.
What you can do
First: Ensure that you have in place systems, policies and training to reduce the chances of your organization being hit by a cyberattack.
One of the study authors noted that many companies he deals with are woefully unprepared for a cyber event-caused business interruption.
“We continue to see SME clients transform their businesses to be more reliant on digital systems while failing to understand the inherent risks that come from complex digital ecosystems,” said Alden Hutchison, principal of global consulting firm RSM US LLP.
“This becomes very evident during the recovery process for a client where it’s clear they haven’t planned for resilience in their digital platform nor practiced operating their business processes during a crisis scenario,” he explained.
Experts recommend:
Disconnecting all networks. As soon as a threat is discovered, disconnect every vulnerable device from your network in order to keep the attack from spreading.
Regular back-ups. Back up critical data to a secure, offsite location to enable swift recovery in case of a cyberattack. Even better: Download your data on a daily basis to a hard drive that is not connected to your database or the internet.
But beware: Ransomware can have dwell times as long as six months, so malware might have been included in your archival backups. Before restoring, run an anti-malware package on all systems and drives.
Detailed planning. Create a detailed plan outlining response procedures to a cyberattack, including roles, responsibilities, and data recovery and restoration strategies. Also, prioritize in advance what data or systems needs to be recovered first, and when.
Continuous monitoring. Continuously monitor network traffic for suspicious activity to detect potential threats early and before they spread and threaten to take your entire system down.
Cyber coverage
Finally, you should have in place a cyber insurance policy. Most policies include coverage for both business interruption due to an event on your systems and contingent business interruption for a cyber event at a vendor or supplier.
You can often work with us to tailor-make your cyber policy to ensure it would cover your business’s specific needs.
Leave Protections Expanded for Employee Victims of Violence
Gov. Gavin Newsom has signed into law a bill that provides a right to paid time off and other protections for employees who are victims of violence, including threats, assaults, stalking and domestic abuse.
AB 2499 makes significant changes to California’s “jury, court and victim time off” law by expanding instances when a victim of a “qualifying act of violence” can take time off, and provides protections against retaliation for taking that paid time off. The law already requires that employers provide time off for workers who are on juries or have to appear in court.
The new law also requires employers to provide reasonable accommodation to employees who are victims of violence, in a process that’s akin to the Americans with Disabilities Act’s interactive process.
Current law
Under current law, employers are barred from discriminating or retaliating against a worker based on their status as a victim of crime or abuse, for taking time off for jury duty or to comply with a subpoena or other court order.
As well, firms with 25 or more workers may not discriminate or retaliating against an employee who is a victim of crime or abuse from taking time off:
- To seek medical attention for injuries related to the crime or abuse,
- To obtain services as a result of the crime or abuse, or
- To participate in actions to increase their safety from possible future crimes or abuse.
Changes under AB 2499
AB 2499 replaces the term “victim of crime or abuse” with an individual against whom a “qualifying act of violence” (QAV) is committed, which includes:
- Domestic violence,
- Sexual assault,
- Stalking, or
- An act, conduct or pattern of conduct in which an individual:
- Causes bodily injury or death to another,
- Exhibits or uses a firearm or other dangerous weapon against another, or
- Uses or makes a reasonably perceived or actual threat against another to cause physical injury or death.
The law also extends protections to employees who need to take time off if they have a family member who is the victim of a QAV. “Family” includes:
- A child, parent, grandparent, grandchild, sibling, spouse or domestic partner; or
- A “designated person” who is blood-related or whose association with the employee is equivalent to a family relationship.
It also bars employers with 25 or more employees from discriminating or retaliating against a victim of QAV or whose family member is a victim, for taking time off to:
- Obtain relief, including restraining orders.
- Obtain medical attention after a QAV.
- Seek assistance from a victim services organization.
- Seek mental health services related to a QAV.
- Recover from QAV-related injuries.
Reasonable accommodation
Under an ADA-like component to the new law, employers are required to engage in an interactive process to determine effective accommodations if an employee:
- Discloses the fact they or a family member is a victim of a QAV, and
- Requests accommodation for safety reasons.
Some examples of reasonable accommodations include:
- Work transfers or reassignments,
- Modified schedules,
- Changed workstation or telephone,
- Lock installation, and
- Temporary time off.
However, organizations won’t be required to provide accommodation if it would pose an undue hardship to them, including if it would violate their duty to maintain a safe workplace.
Notification and paid time off
The new law allows victims to use paid vacation or sick time during any QAV-related leave they take.
If the leave is granted as an accommodation under the Family and Medical Leave Act, the paid leave must run concurrently. Employers may restrict leave to the following:
- Twelve weeks for an employee who is a victim.
- Ten days if a worker’s family member is a victim.
- Five days if a worker’s family member is a victim and needs help relocating.
The takeaway
California employers will be required to provide notice to their employees that informs them of their rights under the law when they are hired and if an employee informs the organization that they are a QAV victim.
This is one of those laws that should spur you to seek legal counsel if confronted with a request for time off, and especially if the affected worker requests reasonable accommodation.
This Insurance Can Help You Survive Another Business’s Disaster
November of 2011, floods inundated large parts of central Thailand, including thousands of factories that made everything from automotive parts and hard disk drives to eyeglass lenses and air conditioners. In addition to the human and economic cost in Thailand, the disaster affected businesses around the world.
Carmakers in Detroit shut down because they could not get the parts they needed and half of the world’s hard disk drive production was wiped out, leaving computer manufacturers with stalled assembly lines. When disasters like this occur, businesses around the globe feel the effects.
In addition to making advance arrangements for alternative suppliers, businesses can protect themselves by purchasing two types of insurance coverage: Contingent business interruption, and supply chain insurance.
Contingent business interruption
Contingent business interruption insurance, also called business income from dependent properties, pays for a business’s lost profit plus continuing expenses when it must slow or stop operations because of damage to another business’s property.
These other businesses can be customers or suppliers. For example, if a motorcycle dealership was left with no bikes to sell because its supplier in Japan suffered a fire, the insurance would make up part of the lost income.
The damage must result from a cause of loss that the insurance policy covers, such as fire or a hurricane. This is important because standard property insurance policies do not cover losses caused by catastrophes such as floods and earthquakes.
Supply chain coverage
Supply chain insurance takes contingent business interruption a step further. It covers income lost because of damage to a supplier’s or customer’s property. However, it also covers losses resulting from events that do not cause physical damage. These may include:
- Labor disruptions
- Production process problems
- Trade disputes
- Wars
- Political turmoil
- Closed roads, bridges, railroads and shipping channels
- Public health crises
- Actions by regulators
- Financial difficulties
Businesses often have different tiers of suppliers, with key suppliers in the top tier and less important ones in the lower tiers. It is common for them to insure only the top tier.
However, insurers are increasingly offering multi-tier coverage. This applies to the business’s entire supply chain. Multi-tier coverage provides a more comprehensive solution for the business while also spreading out the insurer’s risk.
Some insurers offer options. One lets policyholders choose between measuring losses in terms of gross earnings or number of units from the supplier. Some also offer agreed-value coverage, which eliminates penalties for buying amounts of insurance less than the amounts of value at risk.
Businesses should determine where they are vulnerable to supply chain losses and develop back-up plans for dealing with unexpected disruptions. These could include reserves of the needed supplies and contracts with alternative suppliers.
Insurance can help the business recover from a supply chain loss after the fact. Advance planning can help make that loss as small as possible.
If you would like to know more about business interruption insurance, don’t hesitate to contact us.