The CHART Exchange July 2020

Page 1


TABLE OF CONTENTS

6 Glenn W. Clark, CPCU, Publisher CHART Exchange Earliest Adopter

6

Covid-19 Sees CHART Working With Strategic Partners On Program Relationships

9

VPN Vulnerabilities Tied To Ri8sing Data Exposure, Ransomeware

11

Update On EEOC Covid-19 Return To Workplace Guidance

12

Perrenial - Actuarial Services For Lloyd’s Coverholders

15

Is Your Linkedin Profile Helping You Or Hurting You?

17

OSHA Workplace Covid-19 Case Recording And Reporting

18

Security Risk Management - 2 Minute Security Talk by Kroll

20

Building An Inclusive Lloyd’s Marketplace

23

Hyundai Dealership Rental Program - E.O.X. Offers Real-Time Data

26

Lloyd’s New API Enhances And Simplifies Electronic Placement

31

Covid-19 Will See Historic Losses Across The Global Insurance Industry

33

Paycheck Protection Program: Certain Tax Issues Involving Loan Forgiveness

34

Lloyd’s Presents Solutions For Global Industry & Gov’t Partnerships Post CV-19

36

Adjusting To The New Business Realities of Insurance

46

Student Report: Are Passwords Passé?

48

Insider Threats During Economic Downturns

Cover Image: The image is released free of copyrights under Creative Commons CC0.


STUDENT REPORT:

ARE PASSWORDS PASSÉ? BY STUDENT SHAINA LOWENTHAL

JULY 2020 VOLUME 5 - ISSUE 2 Publisher: CHART Exchange Glenn W. Clark, CPCU Membership Services Kate Boyle Advertising: Kate Boyle Managing Editor: Kate Boyle

Psyomjesus, Steal password, CC BY-SA 4.0

Contributing Editor: Frank Huver

PG 46

Layout, Design & Circulation: Ron Manera AdMax Corp., Inc.

CHART Exchange

info@chart-exchange.com 3001 Philadelphia Pike Claymont, Delaware 19703 www.chart-exchange.com 302-765-6001 Last Issue:

PREFER TO READ IN PDF FORMAT? DOWNLOAD THE PDF VERSION HERE

ADVERTISING IN THE CHART EXCHANGE MAKES SENSE: CALL KATE: 302.765.6056


OUR TEAM IS THERE FROM THE START TO THE FINISH NSM Insurance Group Comprehensive Insurance Coverage for: Social Services I Addiction Treatment I Professional Liability Staffing Firms I Workers' Compensation I Collectible Vehicles Coastal Condo Associations I Breweries and Wineries Sports and Wellness I Specialty Aviation

888-235-3525 www.nsminc.com


NEVER MISS AN ISSUE OF CHART EXCHANGE

SUBSCRIBE NOW

SUBSCRIBE TO CONTINUE TO RECEIVE THE CHART EXCHANGE


MESSAGE FROM THE EARLIEST ADOPTER

COVID-19 SEES CHART 2.0 WORKING WITH STRATEGIC PARTNERS TO HELP CLIENTS DEVELOP, PACKAGE AND LAND NEW PROGRAM RELATIONSHIPS Glenn W. Clark, CPCU Publisher & Earliest Adopter

We found some incredible new opportunities for London that advance our clients’ offerings and income while delivering to London unique opportunity to address the acquisition costs issues that have increasingly plagued them. Doing business at a distance has actually helped us to do more coaching and less “doing” for our client partners. In the long run shared duties will make everyone stronger as they learn to be more effective and efficient through their own efforts.”

6 JULY 2020

Y

ou may recall that late last year we announced our plans to “re-make” The CHART-Exchange” into a more effective tool for commerce between the U.S. and London. We branded it as CHART 2.0. This “re-set” was necessitated by three factors: 1. The need to transition from a collegial to a results-oriented business model, 2. An obligation to our domestic program manager clients to better assist them in accessing the world’s oldest and most recognized insurance brand, and 3. A desire to more effectively deliver pre-qualified candidates to the London Market.

TABLE OF CONTENTS

With the best of intent we decided to augment our electronic messaging via CHART magazine with a comprehensive brochure that our target audience could access via our website and hard copy. Our planned 3/1/2020 production and mailing date ran into quite a COVID- 19 snag. Not exactly an ideal time to execute an expensive brochure and mailing campaign when the economy was virtually frozen and our audience was hunkered down at home. We are pleased to announce that our wait is over. Effective 7/6/2020, we will launch a campaign to articulate our new capabilities to virtually every wholesale operation in the country.

www.chart-exchange.com


H

opefully it will result in more inquiries about CHART 2.0, additional distribution for CHART magazine, and new clients for our team. If you’d like to view the brochure on line, here is the link.

What have we been doing in 2020? CHART 2.0 is diligently working with our strategic partners to help our new clients develop, package and land new program relationships. Business as usual has taken a new meaning. We’ve become more and more adept at Conference calls, Zoom/Webex meetings, weekly updates, monthly reporting as our skill sets are being challenged by the restrictions on travel.

We’ve been on our share of “goose chases” with prospects that may not have demonstrated that they will do the work necessary to build a credible program, yet we leave them with a definitive outline of what they would need to do to be successful. Here is the best part though: we found some incredible new opportunities for London that advance our clients’ offerings and income while delivering to London unique opportunity to address the acquisition costs issues that have increasingly plagued them. Doing business at a distance has actually helped us to do more coaching and less “doing” for our client partners. In the long run shared duties will make everyone stronger as they learn to be more effective and efficient through their own efforts.

Our partners on this side of the “Pond” are fully committed to the new model (as are our partners in London). We hope to have several success stories of new binding authorities in our first year of CHART 2.0. Take some time to review this e-magazine, CHART 2.0 brochure and reserve a minute to jot some feedback to us. Our Ben Franklin ad says it best. “When you’re finished changing, you are finished”. If you have an idea that will help us be more effective we promise we’ll listen. Glenn.Clark@ CHART-Exchange.com .

Glenn W. Clark , CPCU CHART’S Earliest Adopter

www.chart-exchange.com

TABLE OF CONTENTS

JULY 2020

7


Protect data, people, reputation and the bottom line with end-to-end cyber security solutions from Kroll. CY B E R R I S K A N D B R E AC H R E S P O N S E Incident Response

Deep & Dark Web Monitoring

Managed Detection and Response

Data Breach Notification Solutions

Cyber Risk Assessments

CISO and Data Protection Advisory

PFI / QSA Services for PCI

Table Top Exercises

kroll.com


ANALYSIS - KROLL

VPN VULNERABILITIES TIED TO RISING DATA EXPOSURE, RANSOMWARE

K

roll, a division of Duff & Phelps, reviewed a wide variety of incident response cases in recent weeks that involved some sort of remote access compromise. With record numbers of employees now working from home, accidental and malicious data exposure incidents are on the rise, many of which are

due to vulnerabilities associated with virtual private network (VPN) or remote desktop protocol (RDP) connections. While VPNs are traditionally more secure than RDP solutions, several VPN providers released significant software patches in the past year, a fact that cybercriminals were

T

homas Brittain is an associate managing director with the Cyber Risk practice of Kroll, a division of Duff & Phelps, based in St. Louis. He has over 14 years of information security experience advising organizations on secure configurations, risk reduction, incident response, and tackling tough security challenges. Thomas joined Duff & Phelps from Carbon Black, where he was senior manager of the firm’s global incident response (IR) partner program. As co-creator, Thomas grew the program to include over 75 active IR firms and advised those firms on threat hunting and security strategy leveraging Carbon Black.

N

icole Sette is a senior vice president in the Cyber Risk practice of Kroll, a division of Duff & Phelps, based in the Secaucus office. Nicole brings unique insight to the multiple dimensions inherent in client challenges from her years of federal law enforcement and military experience. Nicole served as a Cyber Intelligence Analyst with the Federal Bureau of Investigation for nearly 10 years, and was an Intelligence Specialist with the U.S. Army Communications-Electronics Command for four years.

www.chart-exchange.com

TABLE OF CONTENTS

quick to seize on. Organizations that haven’t updated their VPN software are now prime targets for ransomware operators and other malicious actors. In a recent Cybersecurity Advisory, the National Security Agency (NSA) urged organizations to check VPN products for upgrades. The advisory warned, “Upgrade your VPN products to the latest vendorreleased versions to protect your networks from these attacks. The known vulnerabilities include Pulse Secure™, Palo Alto GlobalProtect™ and Fortinet FortiGate™ VPN products.” Pulse Secure VPNs are particularly vulnerable due to the critical CVE-2019-11510 alert issued by the company last year for a flaw that allows for remote authentication to a VPN appliance. Pulse Secure’s advisory stated vulnerabilities could “allow an unauthenticated user to perform a remote arbitrary file access on the Personal Communication Service (PCS) gateway … and allow an authenticated administrator to

See VPN Vulnerabilities Page 24

JULY 2020

9


THERE’S A BETTER WAY TO CONNECT WITH LONDON …

CHART CAN GET YOU THERE FASTER! Most of us know about Lloyd’s of London. The market’s 332 year track record of innovation, technical expertise, and product diversity has cemented its reputation within the industry. Unfortunately, the vast majority of U.S.-based agencies with new program or product ideas are unsure of how to access the world’s oldest insurance brand. The CHART Exchange can help. We were established for the sole purpose of growing the U.S./London marketplace by serving as the conduit between domestic producers and Lloyd’s Risk Takers. Our vast network of Vendor Partners can provide the support needed to help develop your program proposal. Available services include Actuarial, Claims Administration, Marketing, Legal, and Systems. We can even assist in expediting the implementation of your new program through our unique “Incubator” facility. Interested in learning more? Visit our website at www.chart-exchange.com. We are also available via e-mail (info@chart-exchange.com) or by phone at the number below.

855-716-3660 The CHART Exchange 3001 Philadelphia Pike Claymont, DE 19703 www.chart-exchange.com • Fax: (302) 334-0325


ANALYSIS -WILSON ELSER

UPDATE ON EEOC COVID-19 RETURN TO WORKPLACE GUIDANCE

O

n June 11, 2020, the Equal Employment Opportunity Commission (EEOC) issued updates to its technical assistance guidance to address employers’ questions as they plan for the safety of employees returning to the workplace. The guidance, “What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws,” appears in question-and-answer format with updates to address return to work issues, including requests for accommodation; workplace screening issues; pandemic-related harassment;

and age, caregiver and pregnancy discrimination.

• No Accommodation for COVID-19-Related Associational Disability. Employers are not required to provide an accommodation to an employee to avoid exposing a family member of the employee who is at higher risk of severe illness from COVID-19 due to an underlying medical condition. For example, an employer is not required to provide telework as an accommodation to an employee

without a disability in order to protect the employee’s family member with a disability from potential COVID-19 exposure.

• Return to Work Screening. If an employee requests an alternative method of return to workplace screening due to a medical condition, employers may choose to make the requested change available to all employees without going through an interactive process. Alternatively, See Return To Work Guidance Pg 42

G

regg Kahn focuses his practice on labor and employment litigation, representing employers of all sizes. Gregg also devotes a substantial portion of his time to professional liability defense and real estate litigation. In his various roles over the course of his career, Gregg has counseled clients, handled complex litigation and coordinated litigation services on a nationwide basis. Gregg has successfully defended numerous property managers and real estate brokers before HUD and the New Jersey Division on Civil Rights against charges of various forms of discrimination.

L

aura Stutz practices in the area of employment law counseling and litigation. She represents management in the hospitality, retail, financial services and health care industries, including hospitals and hospital systems, nursing homes, clinical laboratories, acute care centers and retail pharmaceuticals. Laura’s practice involves counseling employers on employment laws and employee benefit issues arising under ERISA. She also litigates on behalf of management in state and federal courts and before administrative agencies over disputes involving claims of discrimination, harassment, wrongful discharge, retaliation, whistleblowing, wage-and-hour noncompliance, misappropriation of trade secrets, and enforcement of non-competition and non-solicitation agreements.

www.chart-exchange.com

TABLE OF CONTENTS

JULY 2020

11


INTRO - PERRENIAL

PERRENIAL – ACTUARIAL SERVICES FOR LLOYD’S COVERHOLDERS by Asad Khalil

A

P

errenial is an actuarial consultancy based in London. We were formed in 2018 and work with Lloyd’s Syndicates to help them review the profitability of their delegated authority business. Our senior actuaries have over 40 years of combined London market experience and have previously worked for a number multinational insurers and brokers. We are experienced in dealing with traditional Property and Casualty risks to more specialist lines of business such as Energy and Aviation. Having carried out actuarial analysis on numerous binders we recognize that Lloyd’s Coverholders and MGAs can better position themselves for capacity renewal negotiations with capacity providers by implementing a number of small changes. We provide three core actuarial services to Lloyd’s Coverholders to help them renew their capacity and monitor their performance, these are:

• Ultimate Gross Loss Ratio projections and forecasts – This service helps Lloyd’s Coverholders to understand how

12 JULY 2020

sad Khalil is a qualified actuary with over 10 years’ experience and is the Managing Director and Founder of Perrenial. He specializes in London Market Pricing and carrying out binding authority profitability reviews of MGAs and Lloyd’s Coverholders for Lloyd’s syndicates. Asad is also on the Lloyd’s list of independent reviewers. Prior to his role at Perrenial he was the Lead Analytics Actuary at Verisk. Asad has also held Pricing and Reserving Actuarial roles at Marsh, Aspen Re and Zurich.

CONTACT DETAILS Website: www.perrenial.co.uk Tel: +44 (0)7399025851 • Email: asad.khalil@perrenial.co.uk capacity providers view their performance.

• Building new and refining existing rating models – This service ensures premium adequacy is not an issue for Lloyd’s Coverholders

• Portfolio and risk selection optimization – This service helps Lloyd’s Coverholders identify areas of their book that are performing poorly and put strategies in place to improve performance. Our goal is to partner with Lloyd’s Coverholders to provide them with

TABLE OF CONTENTS

cutting edge Analytical and Actuarial services to help them to understand and improve their performance. We want them to outperform their competitors and become recognized by their capacity providers as being sophisticated players due to their actuarial modelling capabilities. We are excited to become the preferred actuarial services provider for the CHART-Exchange. The US is one of the largest markets for Lloyd’s Coverholders and we feel that the CHART-Exchange are doing an excellent job in creating a forum in which the Lloyd’s Syndicates and US Coverholders can explore business opportunities. www.chart-exchange.com


ACTUARIAL SERVICES FOR LLOYD’S COVERHOLDERS LOSS RATIO PROJECTIONS CREATING AND UPDATING RATING MODELS PORTFOLIO OPTIMIZATION

Asad Khalil, FIA - Managing Director Mobile: +44(0)7399 025 851 Email: asad.khalil@perrenial.co.uk

www.perrenial.co.uk


NEWS Merger & Acquisition Services

serving the insurance industry

Merger & Acquisition Services is a

SPECIALIST ADVISORY AND FINANCIAL SERVICES FIRM firm specifically to participants within the insurance industry. Our mission is to provide

CONCIERGE-LEVEL SERVICES AND EXPERTISE

PROUD SPONSOR OF

SOLELY FOCUSED ON THE INSURANCE INDUSTRY. This allows our advisors to obtain critical industry knowledge and subsequently, provide clients with sound advice.

M&A Services has closed

MORE THAN 100 TRANSACTIONS IN 10 YEARS and has earned continuous placement within the "Top 5 Financial Advisors in Insurance Underwriting" according to SNL Financial. Investment banking services and securities transactions are provided through and completed by Merger & Acquisition Capital Services, LLC., a broker-dealer registered with the U.S. Securities and Exchange Commission and member of FINRA and SIPC.

OUR SERVICES Agency M&A Transactions Carrier M&A Transactions Agency Financing Capital Raising Strategic Advisory Valuation Services Program Business Renewal Rights Fronting

info@maservices.com http://maservices.com

(212) 750-0630 320 East 53rd Street New York - NY - 10022 Copyright 2017 Merger & Acquisition Services, Inc. & Merger & Acquisition Capital Services, LLC. All Rights Reserved.

NEW YORK, NY - ATLANTA, GA - MYSTIC, CT - CAYMAN ISLANDS

within the insurance industry by assisting firms with their corporate development and acquisition/divestiture objectives. M&A Services is


ANALYSIS - PL COMMUNICATIONS

IS YOUR LINKEDIN PROFILE HELPING OR HURTING YOU? By Paul Lavenhar

L

inkedIn is the Facebook of business. According to LinkedIn, 4 out of 5 of its members “drive business decisions.” Making LinkedIn work for you takes the same thought process as succeeding in Google searches with Search Engine Optimization (SEO). It all starts with your LinkedIn profile. With the Covid-19 crisis, business is more virtual and online than ever. According to LinkedIn, in March 2020, it had a 60 percent increase in content creation and a 55 percent increase in conversations between users

compared to the same month last year. That means more business people than ever are using LinkedIn to make themselves known. It also means it is more challenging than ever to stand out. The first place people see you is your profile. If you reach out to connect with someone on LinkedIn, the first they will do is check out your profile. If you don’t get their interest in the first moment they see it, there are millions of other profiles they can view instead. Whether you are hunting for a job like many people are today, working as a “solopreneur” offering a service, or promoting your company, what

A

bout the author: Paul Lavenhar’s firm PL Communications has provided marketing communications services for 25 years to such insurance clients Rockwood Programs, Capacity Coverage, MetLife, Selective, York Risk Services, and Admiral Insurance, among others. He has has written for 500+ companies in various industries. Paul also leads a band called GoodWorks that provides music and marketing services to help nonprofits raise money and awareness pro bono. Paul Lavenhar is the principal of the insurance marketing communications firm PL Communications.

works is essentially the same – a strategic profile that stands out, that is complete, and that addresses the issues faced by the reader. After reviewing dozens of articles and several books, here are the basics you need to complete a profile that helps you get found. Beyond the basics, tricks of the trade from the leading LinkedIn gurus can give you a competitive edge.

HERE ARE THE FIVE BASICS PLUS RECOMMENDATIONS FROM LEADING LINKEDIN EXPERTS In music and art, they say begin by mastering the basics to learn how to express yourself creatively. The same is true with LinkedIn. You have to master the basics before employing the more advanced search techniques to make yourself “findable” by the people you want to connect with for business. 1. The expression a picture is worth a thousand words is true on LinkedIn. Your picture is what grabs someone’s attention. It tells people something about who See Linkedin Profile Page 39

www.chart-exchange.com

TABLE OF CONTENTS

JULY 2020

15


YO U R PA RT N E R F O R A D M I T T E D M A R K E T C A PAC I T Y PROGRAM CARRIER WITH

1.1 BILLION

$

IN TOTAL SALES

A- RATING A.M. BEST

S P E C I A LT Y P RO G R A M S

PREMIUM FINANCE

7

ADMITTED

INSURANCE COMPANIES

CAPTIVES & RETRO COMMISSION STRUCTURES RISK PARTICIPANT SUPPORTING COVERHOLDERS, MGA S & MGU S

CREDIT P RO G R A M S

WA R R A N T Y P RO G R A M S

As a CHART vendor partner, Fortegra’s admitted paper helps coverholders and MGAs gain access to premier markets. Learn how Fortegra’s admitted program can help you Experience More at fortegra.com/programs, or via email at programs@fortegra.com. Fortegra® is the marketing name for the specialty underwriting operations of Fortegra Financial Corporation and its subsidiaries. Specialty underwriting program availability varies by jurisdiction. Where available, the programs are underwritten by admitted insurance companies.


ANALYSIS - WILSON ELSER

OSHA WORKPLACE COVID-19 CASE RECORDING AND REPORTING Authors: Wilson Elser attornies Gregg S. Kahn, Laura A. Stutz

O

n May 19, 2020, the U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) issued revised Enforcement Guidance for recording cases of COVID-19, which is a recordable illness under OSHA’s record keeping requirements. Beginning May 26, 2020, employers are required to record cases of COVID-19, if the following three circumstances are present:

The case is a confirmed case of COVID-19, as defined by the Centers for Disease Control and Prevention. The case is work-related as defined by 29 C.F.R. § 1904.5. An injury or illness is considered to be work-related if an event or exposure in the workplace either caused or contributed to the condition or significantly aggravated a preexisting injury or illness. Generally, workrelatedness is presumed for such injuries unless one of the nine exceptions listed in 29 C.F.R. §

1904.5(b)(2) specifically applies. In recognition of the difficulty of determining work-relatedness, OSHA is exercising enforcement discretion in determining workrelatedness in the context of employee COVID-19 illness. The case involves one or more of the general recording criteria set forth in 29 C.F.R. § 1904.7. Under section 1904.7, injury or illness is considered to meet the general recording criteria, and

See OSHA Workplace Page 29

G

regg Kahn focuses his practice on labor and employment litigation, representing employers of all sizes. Gregg also devotes a substantial portion of his time to professional liability defense and real estate litigation. In his various roles over the course of his career, Gregg has counseled clients, handled complex litigation and coordinated litigation services on a nationwide basis. Gregg has successfully defended numerous property managers and real estate brokers before HUD and the New Jersey Division on Civil Rights against charges of various forms of discrimination.

L

aura Stutz practices in the area of employment law counseling and litigation. She represents management in the hospitality, retail, financial services and health care industries, including hospitals and hospital systems, nursing homes, clinical laboratories, acute care centers and retail pharmaceuticals. Laura’s practice involves counseling employers on employment laws and employee benefit issues arising under ERISA. She also litigates on behalf of management in state and federal courts and before administrative agencies over disputes involving claims of discrimination, harassment, wrongful discharge, retaliation, whistleblowing, wage-and-hour noncompliance, misappropriation of trade secrets, and enforcement of non-competition and non-solicitation agreements.

www.chart-exchange.com

TABLE OF CONTENTS

JULY 2020

17


ANALYSIS - KROLL

SECURITY RISK MANAGEMENT

2-MINUTE SECURITY TALK W/ EMILY BAUM | OFFICE DESIGN POST-COVID-19

E

mily Baum is a senior manager in the Security Risk Management practice of Kroll, a division of Duff & Phelps, based in the New York office. Emily’s professional background includes experience in the development and engineering of complex physical security systems, ranging from solution design to implementation and service administration. She has worked with clients in a multitude of industries, including government, critical infrastructure, financial services, healthcare, education and hospitality, as well as places of worship and corporate and commercial facilities. Through her years of experience, Emily has acquired in-depth technical knowledge of security products from leading manufacturers, specifically those related to enterprise access control and visitor management, physical and biometric credential technology, video surveillance and analytics, intrusion detection, vehicle and personnel screening, and architectural security elements.

18 JULY 2020

TABLE OF CONTENTS

www.chart-exchange.com


One Star Insurance Solutions, LLC offers a comprehensive Excess Program available to all independent agents for excess coverage with limits from $1 million to $10 million. Additional limits are also available upon request. We received our Lloyd’s Coverholder designation in 2016 and have underwriting authority to offer follow-form excess in 13 states. This program is open to all agents with a specific focus in the oil & gas sector, who have needs for increased limits /coverages over underlying policies and want to take advantage of the follow-form coverage. This Excess coverage is also available on risks such as contractors for building trades, transportation construction, utility construction, land improvement, forest products, structural moving and general contractors. It is our recommendation that you offer our indication unsolicited to all of your oil & gas clients. The reason is two-fold:  Our Rate Indication Workbook provides fast, accurate indications for your clients. In most cases, the indication that is calculated will be the final quote*.  Most importantly, by offering an excess quote you have alleviated the burden of a potential E&O claim. Gunnar Kephart, E&O Specialist for the Independent Insurance Agents of Texas has indicated that the largest number of E&O claims have come as a result of not offering enough limits or not offering the coverage at all. Over BITCO:

Submission Requirements

Signed Acord 125 & 131 BITCO Auto Questionnaire Oil Lease Operator/Contractor Questionnaire Underlying Quotes Underlying Limit Requirements: CGL 1M/3M, AL 1M, PL 1M/3M, EL 1M/1M/1M

5-year Currently Valued Loss Runs If applicable: Well Schedule Drilling footage for wells to be drilled MSA Program Manager, Hannah Walters Hannah@1starins.com *Complete submissions will need to be made with all required data before a formalized quote can be issued.


NEWS - LLOYD’S OF LONDON

BUILDING AN INCLUSIVE LLOYD’S MARKETPLACE

R

ecent events have shone a spotlight on the inequality that black people have experienced over many years as a result of systematic and structural racism that has existed in many aspects of society and unleashed difficult conversations that were long overdue. At Lloyd’s we understand that we cannot always be proud of our past. In particular, we are sorry for the role played by the Lloyd’s market in the eighteenth and nineteenth Century slave trade - an appalling and shameful period of English history, as well as our own. In acknowledging our own history, we also remain committed to focusing on the actions we can take today to shape our future into one that we can truly be proud to stand by. Over the last week we have listened carefully to our Black and Ethnic Minority colleagues in the Lloyd’s market. We have heard their frustrations, and it is clear that we must commit now as a market to take meaningful and measurable action. Building an inclusive culture is essential to the market’s future

20 JULY 2020

success and that is why culture sits alongside performance and strategy as one of the Corporation’s three strategic priorities. And we are not alone - through initiatives like Inclusion@Lloyd’s and Dive In, the wider Lloyd’s market has in recent years thrown its collective resources behind the drive for greater diversity and inclusion across the piece. We have made progress, but not enough. Therefore, today we are announcing a number of initiatives to help improve the experience of Black and Minority Ethnic talent in the Lloyd’s market. We will: 1. Invest in positive programmes to attract, retain and develop Black and Minority Ethnic talent in the Lloyd’s market, including launching our ‘Accelerate’ Programme – a modular programme to develop Ethnic Minority Future Leaders across the market. 2. Review our employee and partner policies, as well as our organisational artefacts, to ensure that they are explicitly non-racist. 3. Commit to education and

TABLE OF CONTENTS

research. We will educate our colleagues and continue our research into the experiences of Black and Ethnic Minority professionals working in insurance, and share what we learn with the market. 4. Provide financial support to charities and organisations promoting opportunity and inclusion for Black and Ethnic minority groups. 5. Develop a long-term action plan in collaboration with our Culture Advisory Group, Black and Minority Ethnic colleagues and white allies who will inform our journey and hold us to account. We are grateful to our Black and Ethnic Minority colleagues who have helped to shape our conversations and actions to ensure that we create an environment free from injustice for them and for all. Our commitment is that we will continue to listen and learn as we act and to measure our progress. There is a long way to go but we are determined that we can and will create a culture in the Lloyd’s market in which everybody can flourish.

www.chart-exchange.com


www.chart-exchange.com

TABLE OF CONTENTS

JULY 2020

21


888.246.7211 sales@eoxvantage.com

WE’RE AMPLIFYING

INSURANCE.

business efficiency amplified

Give your team and customers enhanced experiences and efficiencies with custom solutions using EOX Vantage’s Enterprise Operating System System.

Custom Solutions

Collaboration Tools

• Digitize and automate operations

• TeamedUp 2020 suite: • Chat with video conferencing • Integrated Mail • CRM • Announcements • Enhance team communication, productivity and efficiency • Free through 12/31/20

• Save time and money • Speed up processes • Enhance customer satisfaction

EOX Vantage’s Enterprise Operating System can amplify efficiencies for your insurance operations. Learn how at: info.eoxvantage.com/june-digitization-webinar-registration-0/ 22 JULY 2020

TABLE OF CONTENTS

www.chart-exchange.com


NEWS -EOX VANTAGE

HYUNDAI DEALERSHIP RENTAL PROGRAM - EOX OFFERS REAL-TIME DATA Arrowhead Rental Programs Secures Hyundai and Genesis Dealership Rental Program Business with the Support of EOX Vantage Technology Platform

B

work tools provided in its flagship product, the Enterprise Operating System. EOX Vantage is also helping other businesses during this difficult transitional time with their digital transformation efforts, which allow them to digitize processes and leverage the resulting data to amplify business efficiencies and enable operational successes.

in a market segment at which the companies have proven adept. April 1, 2020 marks the two-year anniversary of their first foray into dealership rental programs. They started with Mercedes-Benz USA, followed by Subaru of America.

“We are so pleased to be able to deliver efficiencies for a prestigious global brand,” said EOX Vantage CEO Sudhir Achar. “Especially in this chaotic time of the pandemic, entering such a partnership is remarkable. We are really looking forward to working with Hyundai and Genesis for a long time to come.”

as actionable dashboards, to deliver transparent and real-time data for their rental programs. The result is much quicker turnaround time and improved management for all elements of the program, including inventory tracking, adding coverage to a new vehicle and printing out individual Insurance ID cards on

For all these dealerships and retailers, EOX Vantage uses aspects of the Enterprise Operating System, such

EACHWOOD, Ohio, April 21, 2020 /PRNewswire/ -Arrowhead Rental Programs, in partnership with EOX Vantage, has won the business to deliver support for the rental program of loaner vehicle fleets at more than 1,000 dealerships for Hyundai Motor Group and Genesis Motor, LLC (a luxury vehicle division of Hyundai). The agreement was finalized in the face of obstacles from the coronavirus pandemic. It was concluded during stay-at-home orders in place for both EOX Vantage and Hyundai headquarters; in-person training had to be replaced with video tutorial guides within a few days. All EOX Vantage staff members are currently working from home using the company’s own remote www.chart-exchange.com

The contract with Hyundai and Genesis represents the newest success TABLE OF CONTENTS

See E.O.X. Vantage Page 30 JULY 2020

23


ANALYSIS - KROLL Continued From Page 9

VPN VULNERABILITIES TIED TO RISING DATA EXPOSURE, RANSOMWARE perform remote code execution...”, both of which the advisory further added, “pose significant risk to your deployment.” This advisory was updated in 2020 to reflect new exploitation information and recommendations. Given the fact that there is no workaround, the Cybersecurity and Infrastructure Security Agency (CISA) recommends applying patches provided by the vendor and performing all necessary system updates.

on a valid session ID through means such as brute-force attacks or reverse engineering. Thomas Brittain, Associate Managing Director at Kroll, said that has dramatically changed. He

HOW DO THREAT ACTORS EXPLOIT VULNERABLE VPNS? Actors are mainly identifying potential corporate targets by scanning the internet and then gaining access to user accounts via known exploits. Skip to the “Exploit in Action” section of this newsletter to see a video demonstration. In the past, threat actors most often compromised VPNs through “session hijacking,” after getting their hands

commented, “We’ve been seeing engagements where actors are getting access without session hijacking and that’s due to CVE2019-115110’s pre-authentication vulnerability that allows unimpeded access. Essentially, actors can query the vulnerable VPN to pull a unique ID for an account, then leverage

A

bout the author: Reshimi Khurana is managing director and head of Southeast Asia in Kroll, a division of Duff & Phelps’ Business Intelligence and Investigations practice, based in the Singapore office. Reshmi has more than 15 years of experience in the United States as well as in South and Southeast Asia conducting complex corruption investigations, litigation support projects, and due diligence on the management, operations, and business models of organizations. Her experience includes helping clients identify and bridge gaps in internal controls and corporate governance through people, processes, and technology. Reshmi advises a wide range of clients, such as asset management companies and banks; corporations in the mining, oil and gas, consumer packaged goods, retail, and pharmaceutical industries; and law firms. Reshmi joined Kroll in 2003 in New York, where she worked for six years. She then moved to Kroll’s Singapore office, where she oversaw the operations in Southeast Asia before joining Kroll’s Mumbai office in 2011. Recently, she has led assignments in India, Bangladesh, Sri Lanka, Nepal, Maldives, and Mauritius. Prior to joining Kroll, Reshmi was a consultant with McKinsey & Company in India, where she advised clients on strategy and operations in the telecom, retail, and consumer packaged goods sectors.

24 JULY 2020

TABLE OF CONTENTS

www.chart-exchange.com


web browser development tools to manually set a value to the ID, and that allows them unauthenticated access to the VPN administrator console.” From there, it’s generally short work for actors with system access to remotely connect to internal systems. Once on your internal network, they download and execute programs and commands to conduct reconnaissance and harvest passwords enabling them to move laterally in the network and, in many cases, prepare to deploy ransomware.

unpatched VPN systems for many months. In October 2019, both the National Security Agency (NSA) and National Cyber Security Centre (NCSC) put out alerts on these attacks and encouraged enterprises to patch. These actors could leverage exploits to target newly created VPN appliances to gain access to intellectual property or other sensitive data on company networks.

SEE A CVE-2019-115110 EXPLOIT IN ACTION The video below demonstrates how the vulnerability can be exploited in an unpatched system. Actors remotely scan a system to extract an admin session ID and then bypass the admin login screen by loading the session ID to the browser console, which gives them unauthenticated access to all admin functions. In this example, actors force Windows’s calculator app to load after a VPN user connects to the network, but a real attack would execute more damaging scripts. In addition to financially motivated actors targeting vulnerable VPNs, advanced persistent threat (APT) groups have also been capitalizing on unsecured VPN infrastructure. Microsoft threat intelligence teams have observed multiple nation-state and cybercrime actors targeting www.chart-exchange.com

Figure 1

VPN EXPLOITS ON THE DARK WEB Often the initial challenge in exploring vulnerabilities is finding a way to exploit them, as it involves careful research and may require a rethink of existing attack vectors. Sophisticated exploit scripts can go for thousands of dollars in dark web markets, and some particularly impactful exploit tools are actually considered military weapons. For CVE-2019-11539, however, effective exploits are available on the dark web for free, as you can see in Fig. 1 below:

the critical need for organizations to know the current status of their VPN infrastructure and apply all patches prior to connecting to the internet. Sodinokibi ransomware actors entered a client’s system through a vulnerability in Pulse Secure VPN. The actor began deploying the ransomware across all the client’s servers and later sent ransom demands, threatening to publish exfiltrated data. Actors struck just one to two days after a client added two unpatched VPN appliances to their network. Kroll’s investigation found that prior to a ransomware attack, credentials for the client’s domain administrator and IT director were compromised. Two new domain admin accounts were created by the actors once they gained access to the network. This example demonstrates the importance of patching vulnerable VPN appliances, as quickly as possible. KROLL EXPERTS CORNER: BEST PRACTICES FOR SECURING VPNS As organizations contend with remote networking challenges, VPN security is imperative. Thomas Brittain has provided several best practices to help prevent the compromise of VPN appliances, related data exposure and

CASE STUDIES Kroll’s recent case studies emphasize TABLE OF CONTENTS

See VPN Vulnerabilities Page 29 JULY 2020

25


NEWS - LLOYD’S OF LONDON

LLOYD’S NEW API ENHANCES AND SIMPLIFIES ELECTRONIC PLACEMENT Lloyd’s today announced the launch of a new application programme interface (API) to help London Market brokers and underwriters place business electronically, as part of the Future at Lloyd’s work on developing the next generation of PPL.

T

he new API is available immediately and enables the frictionless flow of electronic placement data for submissions and quotes between carriers and brokers using either PPL or any other proprietary platform. Atrium Underwriting Limited will be the first to adopt the new API, which was developed by Lloyd’s in collaboration with PPL and LIMOSS as well as several other Lloyd’s brokers and underwriters. Jennifer Rigby, Chief Operations Officer and Executive Sponsor of the Future at Lloyd’s, said: “This is an exciting new development that will enhance and simplify the flow of electronic

26 JULY 2020

placement data across the market, as we continue to progress the development of the next generation version of PPL. At Lloyd’s we want to make digital solutions that deliver better outcomes for our customers in a way that benefits the entire market. We are committed to sharing these benefits as quickly as possible using an open source framework that engenders even greater collaboration and engagement across the Lloyd’s ecosystem.”

The result is that, when the API is implemented by a market firm, it will be possible to drive PPL entirely from their own systems without using the platform’s user interface for Submission & Quote. Next we will move on to look at Firm Order.”

Justin Emrich, Chief Information Officer at Atrium, commented: “With this development we have the opportunity to significantly streamline the process of taking in business through all the various stages starting with APIs are vital for Submission to Quote, from a single improving the flow of user interface. Our vision is to deliver digital data around the a single screen for underwriters with no logging in, no copying and market. They benefit brokers pasting, no duplicate or manual and carriers by enabling them to work from their own systems, entry, everything inter-connected from within the Atrium software reducing the need for double ecosystem.”

entry of data and documents. Not all parties need to have APIs to work together on a placement.” Susan Jakobek, Managing Director of Placing Platform Limited, said: “The ability to share data is one of the core components in enhancing PPL and increasing adoption across the market. This development has been a tremendous collaborative effort. TABLE OF CONTENTS

APIs are vital for improving the flow of digital data around the market. They benefit brokers and carriers by enabling them to work from their own systems, reducing the need for double entry of data and documents. Not all parties need to have APIs to work together on a placement. These APIs are now available via the new Lloyd’s Developer Portal and support will be offered by PPL and LIMOSS.

www.chart-exchange.com



“WHEN YOU’RE FINISHED CHANGING,

YOU’RE FINISHED” - Benjamin Franklin

Benjamin Franklin: Scientist, philosopher, Founding Father … and business strategist? Mr. Franklin’s advice about adapting to thrive is especially appropriate in the highly fluid insurance industry. The CHART Exchange began with a good idea back in 2015: become the catalyst for growth in the U.S./London marketplace by facilitating interaction between domestic wholesalers/agency specialists and Syndicate underwriters. Large-scale networking events were held annually in elegant venues. While this approach produced results, feedback from the meeting participants indicated we could do much more to achieve our goal. As a direct result of this feedback, CHART 2.0 adopted a more proactive operating model intended to provide advocacy-level support to U.S.-based agencies seeking to place business within the London market. The expertise of our various Vendor Partners — when combined with new brokerage placement capabilities — gives CHART 2.0 clients access to a broad array of services they need to be successful. Interested in learning more? Visit our website at www.chart-exchange.com. We are also available via e-mail (info@chart-exchange.com) or by phone at the number below.

www.chart-exchange.com

The CHART Exchange, 3001 Philadelphia Pike Claymont, DE 19703

Phone: (855) 716-3660

Fax: (302) 334-0325


ANALYSIS - KROLL Continued From Page 25

logged in to your internal network, switch user accounts. • Enable logging on all VPN and/or firewall appliances to track all authentication events (successful, failed and unauthenticated), user activity such as RDP connections, file access/ downloads and the volume of data (e.g., Cisco’s NetFlow protocol) transmitted and received. If possible, send all logs to a Security Information and Event Management (SIEM) system, which can serve as a centralized event and log data collection and analysis point. Create a process to review, test and update any edge/internetconnected systems regularly.

VPN VULNERABILITIES ransomware attacks: IMMEDIATE MITIGATION RECOMMENDATIONS •

• •

Update and apply all patches and secure configurations of any VPN or other edge/gateway appliance before placing on your network or connecting to the internet Enable multifactor authentication (MFA) or twofactor authentication (2FA) for all user accounts leveraging external access over VPN or RDP services; enforce regular password resets that include a complex password policy Reset all local VPN accounts, VPN users, administrators and service account credentials before reconnecting upgraded devices to the internet Revoke and create new VPN server keys and certificates Review your network accounts to ensure adversaries did not create new accounts

ADDITIONAL RECOMMENDATIONS •

Minimize or eliminate remote access for administrator accounts through VPN or RDP services. Leverage a user account with limited privileges and once www.chart-exchange.com

CRUCIAL CONSIDERATION FOR THE NEW NORMAL Even though some organizations are already planning to return their employees to offices, the move will be gradual; many organizations may prefer to continue remote working indefinitely. VPN configuration remains a crucial step in protecting a remote workforce, and it’s imperative that vulnerabilities like CVE-2019-11539 and CVE-2019-115110 are addressed, along with many others, as part of a robust vulnerability management program. For further guidance, contact a Kroll expert at one of our 24x7 cyber incident response hotlines or our Contact Us page. Adjusting to the New Business Realities of TABLE OF CONTENTS

Continued From Page 17

OSHA WORKPLACE

is therefore recordable, if the injury or illness results in death, days away from work, restricted work or transfer to another job, medical treatment beyond first aid or loss of consciousness. Significant injuries or illnesses diagnosed by a physician or other licensed health care professional also are considered to meet the general recording criteria and are recordable, even if the significant injury or illness does not result in one of the listed conditions.

The guidance reiterates that the recording of a COVID-19 case does not in and of itself mean that an employer has violated an OSHA standard. Additionally, employers with 10 or fewer employees and employers in certain low-hazard industries need only report workrelated COVID-19 illnesses that result in a fatality or an employee’s in-patient hospitalization, an amputation or the loss of an eye. Whether or not a COVID-19 case is work-related or reportable, employers should continue their efforts to minimize the risk of transmission of the disease in the workplace through proper hygiene, social distancing and personal protective equipment. JULY 2020

29


NEWS - EOX VANTAGE Continued From Page 23

HYUNDAI DEALERSHIP RENTAL PROGRAM - EOX OFFERS REAL-TIME DATA demand. For instance, obtaining insurance coverage for a loaner car at one time could have taken up to 30 days, and is now accomplished in less than 24 hours. This streamlined and efficient data-driven process replaces the older, ineffective, underused and, for many dealerships, unadopted systems.

50% were participating; within the first 90 days of going live with the new EOX Vantage-supported system, participation grew to a full 100%. Varun Badarinath, product manager at EOX Vantage and its liaison for Arrowhead, noted: “We’ve had the pleasure of working with Arrowhead

a spirit of exploration and discovery as a national insurance program administrator and managing general agency. Its mission is using technology to pioneer the most innovative risk solutions to profoundly simplify the insurance experience. Arrowhead’s people and technology remain at the forefront of industry innovation, pioneering solutions that simplify the insurance experience, building trust and reducing uncertainty. Arrowhead takes pride in its 30 top-rated carriers, 30+ products, 11,000 agency locations, 800+ employees and more than $1 billion written premium. ABOUT EOX VANTAGE:

As a recognized global leader of operational efficiencies, EOX Vantage delivers premier solutions through our Enterprise Operating System and Managed Services. Varun Badarinath, product manager at Clients from the Insurance, EOX Vantage and its liaison for Arrowhead, Transportation, Manufacturing, noted: “We’ve had the pleasure of working with Healthcare, and Legal industries Arrowhead Rental Programs for more than two choose EOX Vantage for the years now. We are proud of our very productive quality and results that our partnership that just keeps getting better. This product and services provide. agreement with Hyundai is going to give us a great Through the actionable head of steam heading through the rest of 2020.” dashboards and data analytics of EOX Vantage’s secure, all-inone platform, businesses gain the EOX Vantage then monitors the Rental Programs for more than two visibility they need to make better programs and reviews user feedback years now. We are proud of our very informed decisions, resulting in to ensure continuous improvement productive partnership that just and satisfaction. In this way, the keeps getting better. This agreement increased productivity, reduced time and cost, and enhanced company has helped grow the with Hyundai is going to give us a Mercedes-Benz rental program by great head of steam heading through collaboration. EOX Vantage allows clients to focus on what they do 30% from 88 participating dealerships the rest of 2020.” best by reducing the time it takes to to 118 as of today. The Subaru manage their essential operations Service Loaner Program is provided ABOUT ARROWHEAD: and improving effectiveness with to all the approximately 630 Subaru Since its founding in 1983, data and insights. Retailers in the U.S., but less than Arrowhead has proudly embraced

30 JULY 2020

TABLE OF CONTENTS

www.chart-exchange.com


NEWS - LLOYD’S OF LONDON

COVID-19 WILL SEE HISTORIC LOSSES ACROSS THE GLOBAL INSURANCE INDUSTRY Lloyd’s market set to pay out up to US$4.3bn to customers. Lloyd’s, the world’s leading (re) insurance market, today revealed that it will pay out in the range of $3bn to $4.3bn* to its global customers as a result of the far-reaching impacts of COVID-19. This is on a par with 9/11 in 2001 and the combined impact of hurricanes Harvey, Irma and Maria in 2017, all of which led to similar pay outs by the Lloyd’s market**. These losses could rise further if the current lockdown continues into another quarter. Lloyd’s believes that once the scale and complexity of the social and economic impact of COVID-19 is fully understood, the overall cost to the global insurance non-life industry is likely to be far in excess of those historical events. To understand the impact of the pandemic on the global nonlife insurance industry, Lloyd’s undertook an economic study of the potential losses. This looked at both underwriting losses through the Profit and Loss Account, as well as the www.chart-exchange.com

reduction in the value of investments which insurance companies hold to fund future claims payments. The economic study took account of the current pay out estimates assuming continued social distancing and lockdown measures through 2020¬, as well as the forecast drop in GDP globally. The estimated 2020 underwriting losses covered by the industry as a result of COVID-19 are approximately $107bn, on par with some of the biggest major claims years for the industry, such as when three catastrophic windstorms have struck (2005: hurricanes Katrina, Rita and Wilma; 2017: hurricanes Harvey, Irma and Maria). Importantly, these natural catastrophes were geographically contained events, occurring over the course of hours and days – vastly different in nature to the global, systemic and longer-term impact of COVID-19. In addition, unlike other events, the industry will also experience falls in investment portfolios of an estimated $96bn, bringing the total projected loss to the insurance industry to $203bn.

John Neal, CEO of Lloyd’s, said: “The global insurance industry is paying out on a very wide range of policies to support businesses and people affected by COVID-19. The Lloyd’s market alone is currently expected to pay claims amounting to some $4.3bn, making it one of the market’s largest pay-outs ever. What makes COVID-19 unique is the not just the devastating continuing human and social impact, but also the economic shock. Taking all those factors together will challenge the industry as never before, but we will keep focused on supporting our customers and continuing to pay claims over the weeks and months ahead. “Alongside making record pay outs, we have been turning our attention to what more we can do to support business and society through this incredibly difficult time. In addition to our £15m package of charitable donations, we have set aside £15m in seed capital to explore how the industry can create or house structures which support economic recovery and mitigate against future

See Covid-19 Losses Page 38 TABLE OF CONTENTS

JULY 2020

31


Bringing U.S. Entrepreneurship to the London Market The CHART/Wilson Elser strategic partnership combines the innovative underwriting philosophy of the world’s oldest insurance brand with the entrepreneurial mindset of U.S. agencies. For close to 40 years, Wilson Elser has helped organizations to better navigate challenging markets and realize improved combined ratios. We provide London- and Europe-based insurers with ready access to more than 60 discrete legal services delivered by nearly 800 attorneys in 34 strategic locations throughout the United States. Guided by a proprietary, systematic legal project management program, we help clients define strategies and achieve outcomes that align with agreed business requirements. We also implement dedicated Program Claim/Litigation Management services, creating value and driving efficiencies with respect to legal spend and indemnity. Wilson Elser is especially proud of its strategic partnership with CHART Exchange and our shared commitment to strengthening relationships between cover holders and risk takers on either side of the Atlantic.

wilsonelser.com Š 2017 Wilson Elser. All rights reserved. 567-17


ANALYSIS - WILSON ELSER

PAYCHECK PROTECTION PROGRAM: CERTAIN TAX ISSUES INVOLVING LOAN FORGIVENESS By Islame Hosny

T

he Paycheck Protection Program (PPP) was established by section 1102 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act and is implemented by the Small Business Administration (SBA) with support from the Department of the Treasury. The PPP is intended to provide relief to certain small businesses in the form of loans during the coronavirus pandemic. One important attribute of PPP loans under the CARES Act is that such loans are eligible for

forgiveness if the loan proceeds are spent in the manner prescribed by the CARES Act and SBA guidance. Another important attribute of PPP loans is that the forgiveness of such loans is not taxable to the borrower for federal income tax purposes. TAX CONSEQUENCES OF PPP LOAN FORGIVENESS A borrower that qualifies to have its PPP loan forgiven should keep in mind certain tax consequences of the loan forgiveness. For example, if a business borrows funds under a PPP loan, spends the loan proceeds

A

bout the author: Islame Hosny is a tax attorney who focuses his practice on mergers and acquisitions, trusts and estates, wealth preservation, federal income taxation, state and local income taxation, and state and local sales tax. Islame’s experience also includes working as a tax director at a Big Four accounting firm where he provided tax compliance and consulting services to multibilliondollar hedge funds, private equity funds, funds of funds and fund managers. Islame has extensive experience in federal income tax matters, especially partnership taxation.

www.chart-exchange.com

TABLE OF CONTENTS

in the manner prescribed by the CARES Act and SBA guidance, and the PPP loan is forgiven, it is not clear whether these expenditures would be deductible for federal income tax purposes. On one hand, the IRS has issued tax guidance specifically denying a deduction under such circumstances. On the other hand, some members of Congress have recently introduced legislation to clarify that such deductions should not be denied due to the mere fact that the borrower’s PPP loan is forgiven. That proposed legislation, however, has yet to become law. Another tax consideration of PPP loan forgiveness that a borrower should not lose sight of is the potential state income taxation of the loan forgiveness. The fact that PPP loan forgiveness is excluded from taxable income at the federal level does not necessarily mean that the forgiveness is excluded from income for state tax purposes. The state tax consequences of PPP loan forgiveness will depend on the applicable tax laws of each state.

See Paycheck Protection Program Page 33 JULY 2020

33


NEWS - LLOYD’S OF LONDON

LLOYD’S PRESENTS SOLUTIONS FOR GLOBAL INDUSTRY AND GOVERNMENT PARTNERSHIPS TO FAST-TRACK SOCIETAL AND ECONOMIC COVID-19 RECOVERY

O

pen-source frameworks provide blueprint for better protecting society against systemic catastrophic events. Lloyd’s, the world’s leading specialist insurance and reinsurance market, today published a number of ways the insurance industry could fast-track global economic and societal recovery from the far-reaching impacts of COVID-19. These include three open source frameworks*, that help build future resilience through innovative partnerships and products together with a Centre of Excellence to better understand, model and provide insurance for systemic catastrophic events. The solutions and frameworks, developed in conjunction with our UK and Global Advisory Groups **, are detailed in Lloyd’s “Supporting global recovery and resilience for customers and economies: the insurance response to COVID-19” Report published today.

34 JULY 2020

Following interviews with executives and experts across key global industries, the proposals seek to address short, medium and long-term challenges customers face as they begin to recover and reopen^. The proposals include solutions for the reopening of businesses against the threat of further waves of COVID-19, building greater resilience across global supply chains as well as the digital economy, and preparation and protection for the next systemic catastrophic event. As the COVID-19 pandemic continues to devastate economies and communities, with impacts requiring resources that can only be accessed by governments, there remains an urgent need to protect society as it recovers and prepares for an uncertain future. To address the many complex challenges ahead, the Report sets out three proposed ‘open source’ frameworks that are freely available for application around the world, two of which require government and (re) TABLE OF CONTENTS

insurance industry partnerships. If implemented, these three frameworks could provide customer protection for further waves of COVID-19 (ReStart and Recover Re) and other future pandemics, as well as strengthening societal resilience against future systemic catastrophic events (Black Swan Re). ReStart, a potential non-damage business interruption solution (loss of revenue without a physical damage trigger) ~ for future waves of COVID-19 being developed by the Lloyd’s market, specifically focuses on supporting SMEs. The solution is focused on giving certainty of non-damage business interruption coverage initially to UK SMEs by pooling limited capacity across a number of Lloyd’s market participants. The product would support SMEs reopening, offering a range of limits that ensure it is affordable for

See Lloyd’s Solutions Page 43 www.chart-exchange.com


www.bluevoyant.com

••

For insureds that need forensics, incident response, or proactive security services

••

BlueVoyant is a pure play cybersecurity firm

••

WE GET IT – we do it faster and better

Austin Berglas | Global Head of Professional Services austin.berglas@bluevoyant.com Vincent D’Agostino | Head of Cyber Forensics & Incident Response vincent.dagostino@bluevoyant.com Jennifer Rothstein | Business Development Head, Insurance & Legal jennifer.rothstein@bluevoyant.com Breached: incident@bluevoyant.com | Info: contact@bluevoyant.com www.chart-exchange.com

TABLE OF CONTENTS

JULY 2020

49


ANALYSIS - EOX ADVANTAGE

ADJUSTING TO THE NEW BUSINESS REALITIES OF INSURANCE by Mike Fieseler

I

n just a few months, the COVID-19 pandemic has completely changed the world, basic human interactions and how companies do business. Being in risk management and mitigation guaranteed the insurance industry would not be an exception. The global crisis forced insurers to react quickly and comprehensively. Experts are currently debating whether things will ever go back to the way they were. Will insureds want a return to the once prevalent person-to-person sales scenario over the now ubiquitous digital interface for their agent interactions? When can we expect to enjoy our old standard schedules and flight experiences for plane travel between the U.S. and U.K.?

Nobody knows for certain the answers to such questions. What we do know is that the pandemic has accelerated the already rapid rate of change that was happening in the insurance industry even before the virus arrived. Prior to the virus, digitization, automation and other technological strategies were on the rise for insurance businesses to stay competitive, leverage data and save time and money. Now they have been embraced more and more as a natural solution to the more remote-oriented environment in which we have been living much of this year. The unprecedented business climate in 2020 sent MGAs, brokers and agencies scrambling to integrate services that can work within the new commonplace of enforced isolation and insulation from others.

In home insurance, for example, virtual inspections, appraisals, claims and the like are becoming increasingly virtual. They can be accomplished by the homeowner uploading video, drone fly-bys of roof damage or data gathering and transmission via IoT sensors. The most fundamental of insurance transactions have been affected. Receiving a quote, getting in touch with an agent, purchasing a policy, requesting a document or COI, submitting a claim—all are transforming into more virtual, automated or online functions. Insurance workers and the many different office people they partner with are working from home, some of them with no discernible end in sight. Zoom meetings have become the norm. Insurers need a digital

A

bout the author, Mike Fieseler: Mike’s focus is on helping clients achieve operational efficiencies and cost savings. His career has spanned IBM, ARC, DataTrak, and for the past 10 years EOX Vantage. Last year he achieved the CPL - Certified Program Leader designation through Target University of the Target Markets Program Administrators Association (TMPAA).

36 JULY 2020

TABLE OF CONTENTS

www.chart-exchange.com


workplace platform to connect dispersed teams, with effective tools for team members to track and manage document changes, communicate and collaborate. To deal with such expansive changes, insurers must implement tools and practices for performing remote work, managing the policy lifecycle, reducing labor costs, improving their speed to market and reallocating staff resources for optimal efficiency. Two effective methods to address the mounting changes and pressures of our current situation are the automation of repetitive processes and outsourcing of back-office tasks. Either way, these options can help bridge the gap between the old ways and the new normal. They help enable insurers to quickly develop new programs, bring them to market rapidly and effectively, make operations efficient, enhance policyholder user experience and cater to new consumer shopping styles. On the human side, outsourcing through a managed services team lets remote workers complete those everyday, routine, very necessary but repetitive and labor-intensive tasks that take up so much time. This shouldering of the back-office burden lets your own staff members focus on more profitable and customer-facing efforts. Contracted workers can help organizations get through backlogs, www.chart-exchange.com

which have been on the rise during the pandemic. They can cover call center functions and do the many fundamental, repetitive backoffice tasks that support the overall business. This approach lets the contractor handle staff training and consistency. Team members can make the best use of their time by focusing on “following the money� of handling renewals, generating new programs and other top line enhancing efforts instead of dealing with back-office tasks.

Outsourcing back-office duties can help businesses save money and be able to better cover hours with a 24/7 approach to availability. Besides inbound and outbound calls, typical services include loss runs, follow-ups and file prep. Another way to address backoffice duties, and make them extraordinarily efficient, is through process automation. Automation is technology-based, replacing clunky manual tasks with efficient automated workflows. It provides a great way to manage complexity, leverage data, maintain compliance and ensure a single source to track changes, keep records and share files. Workflow automation also provides value by speeding up business processes and

TABLE OF CONTENTS

meeting consumer expectations for easy to use tools that offer more or less instant gratification. This, in turn, improves data collection and access, increases visibility and control of data, and removes human errors that accrue during data entry. It can help leaders resolve the issues presented by inconsistent file formats and multiple unintegrated systems or departments. APIs make for speedy, simplified data retrieval and exchange between and across systems. Sales-wise, the pandemic has caused a good deal of fluctuation. There have been spikes in cyber insurance to cover the surge in remote workers using their own connections, as well as unemployment insurance to mitigate the turbulence in labor markets. Meanwhile, some other kinds of policies took a huge dip. We will likely continue to see peaks and valleys in policy purchasing and program adoption. But the really telling movement to keep an eye on could be the changing of actual methods used by insurers in response to the pandemic. These new practices may become the new industry standard over time. The best advice for insurers at this time might be to make some changes of their own through new technology. With virus-related sea changes still afoot, along with ever tighter margins, such a plan could represent one of the best strategies to survive and even start to thrive in these complicated times.

JULY 2020

37


NEWS - LLOYD’S OF LONDON Continued From Page 31

COVID-19 WILL SEE HISTORIC LOSSES events of this magnitude. We are also working with our Advisory Committees to develop a number of initiatives to support our customers and economic recovery in the short, medium and long-term.”

38 JULY 2020

In addition to managing wideranging pay outs across sectors and geographies, the experts, entrepreneurs and innovators drawn together by the Lloyd’s market have already started creating new policies to support the immediate health response as well as the longer-term exit strategy. This includes the search for diagnostics, treatments and vaccinations, where one Lloyd’s syndicate^ is insuring more than 100 individual clinical trials taking place around the world investigating all stages of COVID-19. Sitting alongside the £15m package of support for charitable organisations responding to the pandemic, Lloyd’s is also

TABLE OF CONTENTS

repurposing existing innovation initiatives in its Innovation Lab and Product Innovation Facility to help fast track development of insurance products to support the response to COVID-19. Lloyd’s plans to announce a series of further initiatives in the coming weeks as it continues to work with government, industry and business to support the short, medium and long-term response to COVID-19. One initiative under consideration includes establishing a ‘Recover Re’ insurance vehicle offering “after the event” cover for pandemic related business recovery, including the current COVID-19 pandemic.

www.chart-exchange.com


ANALYSIS - PL COMMUNICATIONS Continued From Page 15

insider keywords relating to your niche market.”

IS YOUR LINKEDIN PROFILE HELPING OR HURTING YOU? you are. So, if your photo looks unprofessional, what does that say about you? It’s worth investing in getting a professional photo to look professional. According to LinkedIn, members who include a profile photo receive 21x more profile views and up to 36x more messages. You haven’t written a word, and you are already ahead of the game. Your profile also has a background image or header at the top of your profile. Just like your photo, it adds to making you look professional. Some people prefer a billboard approach with a header that includes their logo and possibly a tag line. Others prefer a header that reflects something about them personally, whether it is where they are from or their industry. Whatever you choose, think about what it conveys to the reader about you. 2. Keywords are just as crucial on LinkedIn as they are when designing a website. Keywords are the words someone you want to www.chart-exchange.com

find you uses when they conduct a search. Think like that person. What problem does that person want to solve in their business? What are some of the issues facing that person? The answers to those questions are your keywords. Niche marketing is an advantage to get better search results. When you narrow down the search from “business insurance” to “transportation insurance,” there are fewer results and less competition. Drill down to a transportation subspecialty like “school bus insurance,” and you stand out even more during a search. Mitch Gonsalves author of “The Linkedin Executive Advantage Workbook” says, “When it comes to LinkedIn, your profile is the main pillar. If you do not have a highly niche-specific, professional profile which clearly communicates your value and who you help, you’re shooting yourself in the foot. It has to be sharp, and it has to contain TABLE OF CONTENTS

3. Once you decide on your keywords, use some of them in your profile headline. The headline is the text underneath your photo. Make it about how you help the people you want to reach, not just a job title. WHICH IS BETTER? (A) “Marketing Consultant for Professional Services.” Or, (B) “I help professional services companies define their target audience, reach them through multiple media channels, and gain new business.” People want to know how you help them, so anticipate their questions and answer them – not just in your headline, but in your entire profile. Professionals tend to take their expertise for granted. You may not think of yourself as a “subject matter expert,” but your knowledge and expertise is what persuades people to do business with you. Think about the problems your prospects have and how you solve them. That is the basis for your headline. 4. If you have a reader’s interest, don’t create a roadblock to being able to contact you. Many profiles just have your LinkedIn contact information. Make it easy as

See Linkedin Profile Page 44 JULY 2020

39


FORESTRY WORLDWIDE FORESTRY (RE)INSURANCE FACILITY Pardus was established in 2013 by Keith Thompson, formally CEO of Advent capital Holdings Ltd and Darren Stockman Active Underwriter of Syndicate 780 and Director of Advent Underwriting Ltd. Pardus are an independent Managing General Underwriter, a Lloyd’s approved Coverholder, and an appointed representative of Capita Commercial Insurances Limited.

Cover

Maximum line of USD 8.5M any one risk, any one location. Capacity provided by Lloyd’s of London and “A-” rated company paper. Perils covered mainly Fire and Windstorm, but we can offer additional coverage for hail, ice, snow, frost. We cannot cover Pest and Disease, although we can offer cover under a small sublimit for Pest and Disease treatment costs. Sublimits available for fire-fighting costs, aerial photography, debris removal, claims preparation costs etc.

Frost

Hail

Snow & Ice Storm

Flood

PERILS COVERED Rainfall Deficiency

Fire

Malicious Damage

Windstorm

Business Interruption is offered when fruiting trees are destroyed by covered physical damage perils, leading to a loss of yield while the new trees develop •

We have specialist Pardus facilities in place to cover Public Liability (in Europe) and associated forestry Plant and Machinery risks


OUR TAILORED PRODUCTS

Full Value and Value at Risk

Full Value works in the traditional way with insurer retaining any salvageable value from the insured property. Value at Risk leaves an agreed salvage (based on salvage scales developed by Pardus using age and species data) in the ownership of the client. Pardus then only insure the non-salvage element meaning the final rate will be applied to a fraction of the TSI generating a lower overall cost to the client.

Target business: •

We are keen to see any enquiry for standing timber commercial planation forestry

• •

Information requirements for quote: •

Perils to be insured against

Schedule of forest locations by values, age, species

Forestry risks with accreditation from the Forestry Stewardship

Locational information needs to be provided in either

Council (or similar)

shape file format (.kmz) or the latitude/longitude

Forest Owners comprise:

coordinates of the centre point of each location

-

Individual investors

5-10-year ground-up loss experience by peril

-

Commercial Plantation Companies

Desired policy structure:

-

Individual Forest Owners

-

Timberland and Investment Management Organisations

-

(TIMO’s)

Additional features: -

-

Forest Management Organisations (FMO’s)

-

Real Estate Investment Trusts (REIT’s)

-

Banks loans made to forest owners or fruit tree owners

-

Forest Owner Associations

Deductibles, limit etc Firefighting costs, claims preparation, aerial photography, plantation infrastructure

To download our full forestry questionnaire, please visit our website https://pardusunderwriting.com/products/forestry/

Exclusions

Property

Buildings

Terrorism

Pest and Disease

Drought

Crop

Fruits, Nuts etc

Phil Cottle - Senior Agricultural Underwriter Direct +44 (0)203 735 1608 Mobile +44 (0)7769 895048 phil.cottle@pardusunderwriting.com Dan Longden Cert CII - Underwriting Assistant

Direct +44 (0)203 735 1610 Mobile +44 (0)7756 961500 daniel.longden@pardusunderwriting.com

Pardus Underwriting Ltd. 1st Floor, 3 Lloyd’s Avenue, London, EC3N 3DS www.pardusunderwriting.com

“We have access to a worldwide forestry binding authority covering the physical damage to commercial forestry. There is a maximum line of USD 8,500,000 any one risk, any one location and the covered perils can be found on this flyer. This is written 100% Lloyd’s/company market and Prospect are the Insurance broker”


ANALYSIS - WILSON ELSER Continued From Page 11

UPDATE ON EEOC COVID-19 RETURN TO WORKPLACE GUIDANCE employers may proceed as they would for any other request for an accommodation under the Americans with Disabilities Act (ADA). If the employee requests the alternative method as a religious accommodation, employers should determine if accommodation is available under Title VII.

• Notice in Advance of Return to Work. Employers may provide advance notice to all employees advising them of who to contact to request an accommodation they may need for a disability upon a return to work even if a return date has not been set. The notice may identify the medical conditions listed by the U.S. Centers for Disease Control and Prevention (CDC) that may place people at higher risk of serious illness if they contract COVID-19. The notice should explain that the employer is willing to consider, on a case-by-case basis, any reasonable request from employees who have the CDClisted or other medical conditions. Should an employee request an accommodation in advance of returning to work, employers

42 JULY 2020

may engage in the interactive process before the return to work date and proceed as they would for any other request for an accommodation under the ADA.

• Pandemic-Related Harassment. Employers should remind all employees that harassment by any means, including emails, calls, video or chat communications, based on national origin, race or other protected characteristics is illegal. Employers also should remind supervisors and managers of their role to look out for, stop and report workplace harassment.

• Age Discrimination. Employers may provide flexibility (e.g., telework, modified schedules) to employees age 65 and older even if it results in employees age 40–64 being treated less favorably based on age in comparison. Employees age 65 and older also may have medical conditions that bring them under the protection of the ADA, entitling them to request a reasonable accommodation for their disability.

TABLE OF CONTENTS

• Caregiver/Family Responsibilities Discrimination. Employers may provide flexibility to employees with school-age children due to COVID-19-related school closures or distance learning, so long as employers do not treat employees differently based on sex or other protected characteristics. For example, employers should not provide flexibility to female employees but not male employees because of a genderbased assumption about who may have caretaking responsibilities for children.

• Pregnancy Discrimination. Employers may not exclude an employee from the workplace due to pregnancy even if motivated by a genuine concern for the pregnant employee’s health and safety due to the pandemic. Pregnant employees may be entitled to an accommodation under the ADA for pregnancyrelated medical conditions. Pregnant employees also may be entitled to job modifications and leave under Title VII to the extent such modifications and leave are provided to other employees who are similar in the ability or inability to work. There may be state and local legislative developments that could impact the guidance provided by the EEOC. Employers should consult legal counsel for individualized legal advice regarding specific circumstances on COVID-19-related return to work issues.

www.chart-exchange.com


NEWS - LLOYD’S OF LONDON Continued From Page 34

LLOYD’S PRESENTS SOLUTIONS customers, without requiring any government support. Recover Re sets out a proposed ‘after the event’ insurance product framework, that could provide immediate relief and cover for non-damage business interruption over the long-term, including the current COVID-19 pandemic. If implemented, this could be an efficient way to inject commercial and government funds into the economy, providing relief to customers with limited borrowing capacity. This framework could be implemented in any country where the government has the resources and industry commitment to support it. Black Swan Re is a reinsurance framework for government and industry partnership that could better protect customers from the devastating and long-term impacts of systemic catastrophic events – from another pandemic, or global supply chain disruption, to the interruption of critical infrastructure or utilities. The framework would www.chart-exchange.com

provide reinsurance for commercial non-damage business interruption cover for black swan events through industry pooled capital, backed by a government guarantee to pay out if ever the pool had insufficient funds. Alongside developing and sharing these frameworks, Lloyd’s is developing a Centre of Excellence supported by up to £15m in seed capital investment. The Centre will build resource and capability to better understand, model and create products that better protect customers against systemic risks, including pandemics. This will include new technical capabilities and services to support insurers, and academic partnerships to develop a better understanding of systemic risks and customers' emerging needs from the insurance industry.

These Lloyd’s proposals show what a positive role our industry could play as society rebuilds and recovers. We recognize that most of these proposals will need governmental support in each country to turn these good intentions into the practical solutions.” To kickstart the creation of the Centre of Excellence, Lloyd’s Innovation Lab is already working with insurtechs that can provide some of these TABLE OF CONTENTS

capabilities, including exploring the application of an epidemic tracker to better evaluate and underwrite pandemic risk, as well as solutions to help close the insurance gap for systemic risks. In parallel, Lloyd’s Product Innovation Facility is focusing on innovating products to respond to an accelerated shift towards intangible-driven business models in response to COVID-19. Lloyd’s Chairman, Bruce CarnegieBrown, said: “The purpose of insurance is to help businesses and communities manage the risks they face, enable them to recover quickly from disasters by paying claims, and provide the security that allows them to innovate, develop and drive economic growth. COVID-19 has demonstrated that there is much more we can do to support our customers by providing protection for the changing risks they face. Some of these risks are of a scale that require partnership with governments globally and this report identifies ways in which the insurance industry could work with governments to share risk and create a braver, more resilient world.” Andrew Brooks, CEO of Ascot Group, said: “Now is the time for the insurance sector to step up and demonstrate its value to society. The proposals in this paper give us a target to aim at and will kickstart our industry’s response to the challenge

See Lloyd’s Solutions Pg 52 JULY 2020

43


ANALYSIS - PL COMMUNICATIONS demonstrating results you have achieved get attention.

Continued From Page 39

IS YOUR LINKEDIN PROFILE HELPING OR HURTING YOU? possible to reach you. Include your address or city especially if your business relies on local customers. Add a phone number where you can actually be reached and an email address that you check every day. LinkedIn expert Gary Vaynerchuk suggests you include a LinkedIn link in your email signature to extend your marketing reach. Sometimes people need to be convinced to contact you directly – to convert them to buyers, offering a newsletter, E-Book, or report can help them take the next step to a call.

Rule number one – don’t be boring. Don’t be afraid to inject your personality or your “take” on your field’s issues. In an initial business meeting half the battle is the

(A) Boosted sales 50% (actually that alone is pretty good!) Or (B) Worked with the marketing team to develop new marketing materials, online promotions, and an email campaign that boosted sales 50%. Now you are not only a sales star, but also a team player who knows how to use different media channels to improve results. If you can add a testimonial to the story, that is even better. Let’s say this sales campaign was for a client, not your business. (C) Worked with the marketing team to develop new marketing materials, online promotions, and an email campaign that boosted sales 50%. Our client Smith Insurance said, “We had tried different marketing approaches, but this is highly focused effort achieved the best results.”

Your profile is your first step towards using LinkedIn. Once you have that in place, you can generate content, seek recommendations, advertise, participate in LinkedIn groups, and much more. But, that is another article.”

5. Jimi Hendrix once asked, “Are you Experienced?” Your LinkedIn profile is not a resume. It is essentially an ad demonstrating your value to a potential customer or employer. It is your elevator pitch online. A resume is a document you send to someone. A LinkedIn profile

44 JULY 2020

is a page people go to because they are looking for you.

WHICH IS BETTER?

chemistry or the personal connection you have with the other person. Think of your profile as that business introduction online.   Don’t be modest, but don’t brag either. Brief anecdotes or stories TABLE OF CONTENTS

Readability is essential – use shorter sentences and blocks of type. LinkedIn expert Tyron Giuliani suggests, “A client should be able to easily see that you understand their business needs and can offer solutions. To showcase this, use a consistent framework throughout. Consider breaking each experience section up by subtitles.” Tyron Giuliani also adds, “You need to break with the ‘rules’ of LinkedIn. www.chart-exchange.com


Rather than frame your profile in that reverse chronological resume style, think of those experience sections like pages of a website. Use the media space provided to showcase your services, products, and the transformational opportunities you bring to the table. Put another way, your profile should be about addressing the needs of your ideal client and not about you.” LinkedIn has company pages and personal profile pages. If you are promoting your business, you might think that is the job of the company page. Your profile page is a powerful tool for your company - whether you are an employee or a business owner. Content makes it even more powerful. In “How Brands Can Unlock FirstParty Data and Connections” written by Jillian Ryan of eMarketer, “One approach for individual-user strategy is to distribute marketing messages via the profiles of key company executives. Close to three-fourths of marketers polled in July and August 2019 said they find social media posts shared from people’s personal profiles more persuasive than those from brand profiles, according to findings from Social Media Today and GaggleAMP.” Your profile is your first step towards using LinkedIn. Once you have that in place, you can generate content, seek recommendations, advertise, participate in LinkedIn groups, and much more. But, that is another article. Paul Lavenhar is the principal of the insurance marketing communications firm PL Communications.

www.chart-exchange.com

Continued From Page 33

PAYCHECK CHART PROTECTION DEFENDER PROGRAM: CERTAIN COVERHOLDER E&O TAX ISSUES AVAILABLE NOW! INVOLVING LOAN FORGIVENESS POTENTIAL FOR UPDATED TAX GUIDANCE Small businesses that are considering applying for PPP loan forgiveness should plan ahead for any potential tax consequences that could arise from such forgiveness. Each business’s unique facts and circumstances should be reviewed in light of updated tax guidance applicable to the taxation of PPP loan forgiveness as such guidance becomes available.

Mark Lann Phone:

302-765-6070 Email: chart.eo@rockwoodinsurance.com

Although the current IRS position is that expenditures that give rise to PPP loan forgiveness are not deductible, this result could potentially be changed by Congress, but that remains to be seen.

TABLE OF CONTENTS

JULY 2020

45


STUDENT REPORT I

ntro: Shaina Lowenthal is a student in my Introduction to Cyber Risk Ccass at Hunter College, CUNY University. I am proud of her work – both in class and outside of class – and was compelled to share this senior’s interest in and pursuit of cyber security knowledge. As our nation needs more talented professionals to fill the cyber security workforce gap, Shaina exemplifies one of those candidates. Additionally, Shaina shows leadership as a woman emerging in the field and hopefully will encourage other young women to consider such a career. The article below reflects Shaina’s interest in the cyber security risk associated with biometrics. The research she completed for this article was inspired after having read the Suprema breach and she was self-motivated to write this piece – it was not an assignment. I am excited to see how Shaina develops into a successful cyber security professional and I know the industry will benefit from her technical knowledge, ambition and in-depth understanding of all facets of cyber risk. - Jennifer Rothstein Business Development Head, Insurance & Legal, for BlueVoyant

ARE PASSWORDS PASSÉ? By Shaina Lowenthal

and cumbersome. In addition, multi factor authentication (logging into he Verizon 2020 Data Breach a device via two or more displays Investigations Report states of authentication) makes for a poor that Social Engineering is the user experience. Arsenault plans for cause of 22% of Microsoft to be completely all data breaches this past Fingerprints and facial password free by 2021. Arsenault year. This statistic indicates recognition information insists that biometrics are the that in 22% of breaches, bad best method to protect his can still be duplicated actors manipulate users into company's assets. But does that revealing their passwords. or copied just like a password. put our own personal assets, It is no surprise then, that for example our fingerprints, By securing data solely with passwords are going out of at risk? After doing research on style. Passwords are a threat biometrics, we are moving the Suprema breach of 2019 for to both our network security my Cyber Risk course at Hunter from one vulnerable security and our own personal College, I quickly began to think mechanism to another. We security. how devastating of an incident cannot change our genetic this could be. Passwords can also makeup, therefore, it will be be exploited through August 14th 2019, the catastrophic if compromised.“ On keylogging (recording keys Guardian published a major on a keyboard) and brute vulnerability of Suprema, a force attacks (repeatedly guessing Bret Arsenault, the Chief Security biometrics security company. The user credentials until an attempt Officer of Microsoft, boasts about his article proved Suprema was storing proves to be successful). In addition, accomplishment to transition Microsoft millions of unencrypted fingerprints, we often repeat our passwords, use from a password protected company passwords, usernames, facial the same ones across various devices towards biometric driven protection, recognition information, and Personal and accounts, and rarely change them. such as fingerprints, iris scans and Identifiable Information of their users Even large organizations neglect to facial recognition. Arsenault argues and employees in a publicly accessible implement password change policies that passwords are hard to remember database. The Israeli researchers who

T

46 JULY 2020

for their employees. Passwords are not human proof. In the last 5 years, we have seen a new trend emerge as an alternative to passwords: Biometrics.

TABLE OF CONTENTS

www.chart-exchange.com


A

bout the author: Shaina Lowenthal is a rising senior in the Macaulay Honors College at Hunter College. She is pursuing a Bachelors of Arts in Computer Science and minoring in Religion. She is currently working for the NYC Department of Transportation as a College Aide, where she uses Web Development and Data Analytic skills to improve and automate the workflow of the DOT. She is involved in many extracurriculars at Hunter College. She previously served as the Vice President of the Hunter Hillel, the pluralistic Jewish community at Hunter College, and volunteered with the AT&T Upstander Fellowship, a fellowship dedicated to advocating against cyber bullying in high schools. She is pursuing a career in the cybersecurity and risk management fields because she is interested in solving problems related to data and asset protection. New risks and threats present themselves daily, and she is excited for the challenge to prepare for them. found this vulnerability were able to access, copy and edit biometrics. That terrified me! Since then, Suprema hopefully patched this vulnerability, but it got me thinking: if biometrics is the new standard of security, is it safe?

methods of how Apple stores our biometrics in their various devices. In addition, it mentions how they stay hidden and untouchable from potential attackers. Here are some key points: •

Accessing a device with the tap of a finger or even a smile is definitely convenient and really “cool”. No longer do you need to remember a lengthy password, but a glance or wink unlocks most new Apple devices. If Apple and Microsoft are moving towards this direction, then we would assume it is safe, right? Wrong. I don’t think we should assume. Fingerprints unlocking our phone is the new norm. Soon it will cover all banking platforms, entering our homes and even cars. But have you ever wondered how detrimental it would be to have your genetic makeup stolen? Suprema can just be one example. I researched the security of Apple’s Touch ID and Face ID, as these are technologies I use daily. Apple’s Spring 2020 Platform Security Manual details in 150 pages the behind the scenes www.chart-exchange.com

main processor, or powerhouse of the device, because if an attacker were to infiltrate your device, they would most likely enter through the main processor. Thus the crown jewels of the device, or most important assets, are isolated and kept in a different location, the Secure Enclave. In addition, even if the powerhouse of the device was compromised, the cryptographic protocols would still operate to protect our data from being viewed by the attacker.

Apple encourages Face ID and Touch ID because it simplifies a user's ability to access their device. Note, however, that passwords are still required on every Apple account. This is beneficial because it allows for users to create more sophisticated passwords as they are not using them as frequently. •

Fingerprints and facial recognition data is stored on each individual device and not on a server, therefore, eliminating the risk of an attacker stealing many biometrics from one source.

Apple creates their hardware for the basis of their secure software. The most important example is the Secure Enclave coprocessor, which encrypts the data stored on the device, including biometrics. This coprocessor is separated from the TABLE OF CONTENTS

The encryption method used for the data stored on the Apple device is AES, Advanced Encryption Standard, which has become the industry standard for encryption. AES is a symmetric key cipher, meaning one key is used to encrypt (or lock) and decrypt (or unlock) data. This form of encryption is used when files do not need to be sent externally. Apple uses AES256, the highest and most secure version of AES, as I learned from my See Are Passwords Passé? Page 51 JULY 2020

47


ANALYSIS - BLUEVOYANT

INSIDER THREATS DURING ECONOMIC DOWNTURNS By Tim Lehey

C

ovid-19 is causing the largest global business disruption since the 2008 Financial Crisis and may soon exceed those economic consequences. Facing existential revenue loss, economic crises often place organizations in a financial situation that forces pay cuts, furloughs, layoffs, and other disruptions that impact employees’ income security, health benefits, and morale. Feelings of anxiety, resentment, helplessness, entitlement, betrayal, and revenge can lead to malicious behavior directed towards erstwhile employers. Moreover, the unprecedented rollout of work-from-home policies has created enormous potential for negligence-based insider threats. New

remote access protocols are being stood up in a hurry and a myriad of other technical changes are being made to networks at a pace that outmatches corresponding security implementation. The normalizing of work-from-home employment creates vast opportunities for the misuse of VPNs (virtual private networks), teleconferencing, and email compromise due to negligence, lack of technology training, or IT misconfiguration. As global business adjusts to the difficulties borne of the Covid-19 pandemic, organizations must be vigilant and responsive to a substantial increase in insider threats, be they motivated by malice or byproducts of negligence. Insider threats exist even for companies on relatively stable

footing. The mere possibility (or even unfounded rumors) of layoffs creates risk as employees begin to make decisions based on fear and uncertainty. Developers who feel entitled to their coding work product could attempt to clandestinely exfiltrate it. Sales team members may try to take their ‘rolodex’ of contacts for use by a competitor, or even worse, secret financial information. There are as many contexts for insider threats as there are jobs in your organization. In fact, Human Resources Departments are increasingly being trained to detect abnormalities in employee behavior and automated monitoring tools are also being adopted to trigger alerts. One thing is clear: there is almost See Insider Threats Page 52

About the Author: Tim Lehey is a Cyber Threat Intelligence Analyst and Dark Web Investigator at BlueVoyant. He has expertise in open-source and dark web online investigations. Tim holds a Master’s in International Security Policy and previously worked as a Latin America Cybercrime Analyst at the dark web intelligence firm Flashpoint.

48 JULY 2020

TABLE OF CONTENTS

www.chart-exchange.com


NEWS - LLOYD’S OF LONDON Continued From Page 43

LLOYD’S PRESENTS SOLUTIONS of protecting businesses and communities, both as they recover in the short term and build resilience over the longer term. At Ascot we are looking forward to working with Lloyd’s to make this happen.” Scott Purviance, CEO of Amwins, said: “These Lloyd’s proposals show what a positive role our industry could play as society rebuilds and recovers. We recognize that most of these proposals will need governmental support in each country to turn these good intentions into the practical solutions.” The launch of this Report, and the frameworks and solutions within follow Lloyd’s 14 May 2020 confirmation that the market will pay out in the range of $3bn to $4.3bn¬ to its global customers as a result of the far-reaching impacts of COVID-19. In addition to managing wide-ranging pay outs across sectors and geographies, the experts, entrepreneurs and innovators drawn together by the Lloyd’s market have already started creating new policies to support the

50 JULY 2020

immediate health response as well as the longer-term exit strategy. This includes the search for diagnostics, treatments and vaccinations, where one Lloyd’s syndicate^ is insuring more than 100 individual clinical trials taking place around the world investigating all stages of COVID-19. Lloyd’s is also actively working on an insurance solution to support the safe transportation of a COVID-19 vaccine (when developed) to emerging markets.

CHART DEFENDER COVERHOLDER E&O AVAILABLE NOW!

Previously, Lloyd’s has also confirmed a £15m package of support for charitable organisations responding to the pandemic, targeting healthcare, wellbeing and innovation.

NEVER MISS AN ISSUE OF THE CHART EXCHANGE!

Mark Lann Phone:

302-765-6070 Email: chart.eo@rockwoodinsurance.com

SUBSCRIBE NOW!

TABLE OF CONTENTS

www.chart-exchange.com


STUDENT CONTRIBUTION Continued From Page 47

ARE PASSWORDS PASSÉ?

device during the manufacturing process. •

Cryptography and Cryptanalysis class at John Jay. •

Psyomjesus, Steal password, CC BY-SA 4.0

Apple software cannot access the keys used to encrypt our data. They can see the results of the encryption, but they will not be able to understand it without knowing the key. These keys are erased and saved on each device as needed and not stored in the cloud. These secure keys needed to encrypt our biometrics are created by combining our password and the Unique ID of every Secure Enclave coprocessor using the AES encryption standard. The Unique ID is assigned to the hardware of our

During Touch ID, an advanced imaging array scans the finger and sends it to the Secure Enclave. The processor forwards a version of the scan to the Secure Enclave but cannot read it because it is encrypted, random and unique to each scan. After it is read and analyzed, the scan is deleted. It is never transferred to another device or stored on a backup. Face ID is programmed with many advanced technologies to prevent forgery and allow for a fast and easy unlock of a device. The facial information of the user does not leave the device and is also stored in the Secure Enclave. The matches stored in the Secure Enclave are updated over time, as the user may grow facial hair, wear makeup, develop wrinkles or undergo cosmetic procedures.

I delved into Apple’s Touch ID and Face ID because it is the technology

I rely on the most. In addition, the above information was specific to iPhone 5s and later, iPad Air and later, and Mac computers with the T1 or T2 chips. I urge you to do your due diligence if you use Windows Hello, Amazon Alexa, Google Home, or Samsung Galaxy devices. How do they compare? Despite the fact that our fingerprints and facial information is securely stored on our Apple devices, an issue still remains. Fingerprints and facial recognition information can still be duplicated or copied just like a password. By securing data solely with biometrics, we are moving from one vulnerable security mechanism to another. We cannot change our genetic makeup, therefore, it will be catastrophic if compromised. Apple mandates multiple levels of authentication for each device and that adds layers to the protection of our assets. Looking to the future, with the ease of biometrics, more data and important assets will be protected with just a tap of a finger. Access to our crown jewels should be more complex than a one step solution. We need a better system that involves a more individualized process to prevent our biometrics from being mimicked. In the meantime, we can continue to change our passwords often, restrict the amount of important data protected by biometrics, and update our software regularly to limit vulnerabilities. What do you think: How can technology solve this problem?

www.chart-exchange.com

TABLE OF CONTENTS

JULY 2020

51


ANALYSIS - BLUEVOYANT Continued From Page 48

INSIDER THREATS DURING ECONOMIC DOWNTURNS always a cyber component to all contemporary insider threats. The latest major insider threat report was released by the Ponemon Institute just prior to the Covid-19 outbreak. That investigation revealed staggering costs associated with insider threats: •

If it involves a negligent employee or contractor, each incident can average $307,111. However, given this type of incident is the most frequent (comprising 62% of incidents), the total costs can add up to an average of $4.58 million per year within each organization. The average cost per incident almost triples if the incident involves an imposter or thief who steals credentials ($871,686). The costliest type of credential theft involves the theft of privileged users’ credentials. In this research, 14% of incidents involved the theft of privileged users‘ credentials. Annually, these

52 JULY 2020

types of incidents cost each organization an average of $2.79 million. •

Criminal and malicious insiders cost the organizations represented in this research an average of $755,760 per incident. Even though malicious incidents are often the most publicized, they comprise only 23% of overall incidents. However, their impact can add up over the course of the year, costing each organization an average of $4.08 million.

COVID-19 has attacked the globe viciously. Both publicly and privately, individuals and businesses are faced with potentially catastrophic health, financial and emotional consequences.” COVID-19 has attacked the globe viciously. Both publicly and privately, individuals and businesses are faced with potentially catastrophic health, financial and emotional consequences. These extenuating circumstances provide fertile ground for ample insider threats. The BlueVoyant team, with its insurance partners and breach coaches, pledges to do our part to mitigate the direct and collateral damage arising out of this pandemic. TABLE OF CONTENTS

WOULD YOU LIKE TO HAVE YOUR MESSAGE DELIVERED TO 100,000+ FOCUSED INSURANCE INDUSTRY EMAIL ADDRESSES EVERY MONTH?

I’m Kate Boyle Managing Editor. I handle CHART Exchange Advertising. Call me at 302 765-6056 and let’s have a conversation.

www.chart-exchange.com


LLOYD’S OF LONDON

www.chart-exchange.com

TABLE OF CONTENTS

JULY 2020

53


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.