Resources & Insights


Ransomware Attacks on the Rise – Are You Covered?

With ransomware attacks on the rise, the role of insurance is becoming more robust. And, although ransomware coverage has been traditionally sublimited within cyber policies, stand-alone cyber policies that cover ransomware are becoming more necessary.

In an attempt to find additional coverage for ransomware, many businesses and carriers have turned to kidnap and ransom (K&R) policies. K&R policies have traditionally been used by organizations to protect their executives, not to protect against ransomware. Because K&R policies were not designed for ransomware, they may only provide a quick fix. K&R policies tend to be less suitable for ransomware than cyber policies and payouts tend to be lower.

Policy Definitions, Terms and Conditions

Since cyber insurance isn’t standardized, organizations should review all policy language with a broker before choosing a plan. Policies can vary significantly in their language and coverage options, so insurance experts recommend policies that—at the very least—provide coverage for extortion demands and payments as well as lost income resulting from an attack.

Organizations should also take a close look at the following definitions, terms and conditions when choosing a policy:

  • Sublimits and deductibles—Most policies set a sublimit for covering ransomware. It is important to review this limit carefully, considering that demands may start on the low side, but can increase quickly. Additionally, since making a ransom payment may make organizations a target for subsequent ransom demands within the policy year, the deductible amount should reflect that risk.
  • Payment terms—Most policies require prior written consent before the insured can pay any ransom. This can result in payment delays and increased demands by the hackers. If an organization pays a ransom in order to resume business, without prior written consent by the insurer, there’s a chance that it may not be reimbursed. Therefore, organizations need to be comfortable with a policy’s terms in order to avoid compromising coverage.
  • Definition of extortion—It is important for organizations to fully understand and agree with their insurance company’s definition of extortion, since the definition dictates the trigger for coverage. For example, although hackers may intend to sell or misuse information, the ransom demand may only involve a countdown timer and demand for money. While the combination of the two may seem like an obvious threat to the insured, a carrier could possibly deny coverage on the basis that there was no explicit threat to sell or misuse information—all because of its unique definition of extortion.

What to Look for in a Policy

Companies should look for ransomware coverage that uses broad terminology and protects against a wide range of threats, including threats to do the following:

  • Access, sell, disclose or misuse data stored on your network, including digital assets.
  • Alter, damage, or destroy software or programs.
  • Introduce malicious software, including viruses and self-propagating code.
  • Impair or restrict access. Look for policies with broad terms like, “threats to disrupt business operations.”
  • Impersonate the insured in order to gather protected information from its clients, also known as pharming or phishing.
  • Use your network to transmit malware.
  • Deface or interfere with your company’s website.

The Importance of Risk Management

Ransomware insurance is most effective when coupled with an effective risk management program, as there are many components in the fight against cyber crime. Risk managers should work with an insurance broker to review all applicable options before choosing cyber coverage.

Contact us today to learn more about available cyber policies and effective risk management techniques to protect your organization from ransomware attacks.


Exciting New Partnership!

We are very excited to announce a partnership that aligns our purpose, vision and values with the ability to gain national strength and stature, all while remaining strongly INDEPENDENT.

Effective May 5, 2017, Megson FitzPatrick partnered with Rogers Insurance Ltd. and the Inowest Group of Companies, out of Calgary, AB, making our combined organization one of the top five largest independent brokerages in Canada.

Our vision has always been to transform and expand Megson FitzPatrick into an even stronger independent broker, where decisions are ALWAYS based on delivering the best customer experience.  This new partnership is committed to our vision, and our clients are now able to benefit from the shared capabilities of each brokerage for more comprehensive expertise and service offerings, in addition to an expanded network of insurers to work with.

Our new partnership expands our reach to 14 offices across the country and over 500 employees.

If you have any questions or comments regarding this partnership, please contact Jay Tuson directly at jtuson@megsonfitzpatrick.com or 250-940-9029.

 

 


Liabilities for the Board of Directors

Non-profit organizations provide essential social services that benefit communities and their members. The vast majority of these organizations cannot survive without a volunteer board of directors assigned to elect officers, adopt policies and make major financial decisions for the organization. Although members of the board are volunteers, there is a certain amount of risk involved in holding one of these positions. Specifically, even when acting in good faith, board members are subject to personal liability, which may affect their personal financial status because of their management decisions.

It is imperative that your organization and board of directors understand the risks involved with their responsibilities as board members and the ways in which they can protect themselves from personal liability.

Risks and Responsibilities

To combat the chance of affecting the personal liability of board members, non-profit organizations should assess the risks involved with holding these positions. Your organization should first develop a volunteer risk management committee to identify all risks and pose solutions to minimize potential harm. In addition, you need to ensure that the board members understand their governance responsibilities. Your non-profit should educate its board on their legal duties, fiduciary duties and decision-making roles. Furthermore, the risk committee should ensure the following:

  • The organization is working within its stated mission.
  • Funds are spent according to the mission and spending decisions are known to donors.
  • The organization does not accept donations with conditions.
  • Individuals advancing personal agendas counter to the organization’s mission are not allowed to sit on the board.

Once the risks are assessed and the board of directors is aware of those risks, board members must also understand the responsibilities associated with the positions they hold. Legally, board members have three main duties:

  1. Duty of Care: The individual should act in the way that a reasonable person would act in a similar position and under similar circumstances. Acting under good faith is an essential part of the functions of the board.
  2. Duty of Loyalty: The individual should place the organization’s financial interests as the primary responsibility. As a board member, one should not use his or her position for personal gain, financially or otherwise. In addition, individuals should be honest about business ventures that pose a conflict of interest when acting as a representative of the organization.
  3. Duty of Obedience: The individual should try to further the mission of the non-profit by supporting board decisions and implementing policies as they are outlined.

Board members who fail to fulfill their duties as outlined above may be held liable for their actions or inactions.

Protections

Since there are risks involved with being part of a non-profit board of directors, there are several protections available to minimize personal liability. First, most non-profit organizations have indemnification provisions in their bylaws. These provisions explain that the organization will cover or reimburse the legal expenses accrued by board members in the event of a lawsuit. However, it should be noted that indemnification is only as good as an organization’s financial ability to pay it. If an organization does not have excess funds, it may not be able to support this provision.

Incorporated organizations are required by law to indemnify their directors for such losses. There is no such obligation imposed upon unincorporated groups, but most groups do offer indemnities because it is a good policy to do so.

Finally, non-profit organizations should strongly consider purchasing directors and officers (D&O) liability insurance to cover their board members in situations that fall outside of the indemnification provisions or in the event that their financial situation does not allow them to cover extensive legal expenses.

Beyond providing a financial backing to indemnification provision, D&O liability insurance is essential since most individuals will not volunteer on a board with the knowledge that they are risking their personal assets in the event of litigation.

More Information

Proper insurance coverage and other risk management strategies can help ensure that your organization and its board of directors is protected against liability. For more information about appropriate insurance coverage, contact Megson FitzPatrick Insurance Services at (250) 595-5212 today.


Tis the Season to Celebrate… Safely!

Cheering up

Promoting Safety and Sobriety at Company-sponsored Events

To promote the safety and sobriety of your employees and guests at company-sponsored events, review the following recommended control measures:

  • Serve drinks to guests rather than offering a self-serve bar.
  • Set up bar stations instead of having servers circulating the room; if offered, people are inclined to accept drinks they wouldn’t have otherwise ordered.
  • Place table tents at each bar reminding employees and guests to drink responsibly.
  • Don’t price alcohol too low, as it encourages over-consumption.
  • Offer a range of low-alcohol and alcohol-free drinks at no charge.
  • Require servers to measure spirits.
  • Always serve food with alcohol.
  • Close the bar an hour before the scheduled end of the party.
  • Do not offer a “last call” as this promotes rapid consumption.
  • Never raffle alcohol or hold contests that involve buying or drinking alcohol.
  • Entice guests to take advantage of safe transportation options by subsidizing taxis or promoting a designated driver program.
  • If your event includes a program or speaker, schedule it for after dinner and drinks are served. This allows additional time for alcohol to wear off.

Before your company hosts its next event, contact Megson FitzPatrick Insurance Services. We can review your coverage and assist in developing a risk management plan that keeps safety a top priority at your company-sponsored events.

Limiting Social Host Liquor Liability

Liquor liability exposure is not limited to those whose primary business is the sale of alcoholic beverages. Know the law in your jurisdiction and take steps to control your risk.

A bartender is legally liable for serving alcohol to a patron who becomes intoxicated and then injures a third party. Does a business face a similar exposure when it hosts a social event where alcohol is served, such as an open house or employee picnic?

Anytime you provide alcohol to individuals in a non-commercial manner, you are considered a social host. After the Supreme Court of Canada’s decision in Childs v. Desormeaux, social hosts generally are not responsible for the acts of guests that consume alcohol.  However, a social host may become responsible for the acts of their guests if their conduct creates or exacerbates a risk to the public. It is important to take the appropriate steps to control your risk.

Create a Risk Management Program

An important first step in limiting your liquor liability is to implement a risk management program. The liquor liability program must have the support of management, be communicated to supervisors and employees, and include a policy advising employees to drink responsibly at company events.

It’s also important to have a program in place that includes the following recommendations when working with third-party vendors:

  • When working with a vendor, such as a caterer or bartender service, verify they are licensed and insured.
  • Stipulate in your vendor’s contract that only those who have received alcohol-awareness training should serve or sell alcohol at your event.
  • Require the vendor to provide Certificate of Liability Insurance to include events and liquor liability coverage naming your company as an additional insured.

The program should outline the procedures for handling intoxicated guests. This includes delegating who will assess the situation, such as hotel security or someone from your organization, and outlining appropriate actions for dealing with or removing a guest who has overindulged.

In the Event of an Incident

If an incident occurs, fill out a liquor liability incident report documenting measures taken to control the intoxicated person.

It’s also important to have a program in place that includes the following recommendations when working with third-party vendors:

  • When working with a vendor, such as a caterer or bartender service, verify they are licensed and insured.
  • Stipulate in your vendor’s contract that only those who have received alcohol-awareness training should serve or sell alcohol at your event.
  • Require the vendor to provide Certificate of Liability Insurance to include events and liquor liability coverage naming your company as an additional insured.

Liability Insurance

In addition to proper liquor liability planning and education, review your company’s current general liability insurance policy to determine your coverage in social-host situations.

Remember, even with the proper coverage, an events and liquor liability policy does not eliminate your exposure if alcohol service is in violation of a statute, a minor is served or an already intoxicated person is served.