The RISC eNews Blast is intended to provide relevant and timely news information from a number of sources to member pool staff. If you see articles in the journals, email and sources you subscribe to that may be of interest to the RISC membership, please feel free to forward them to Erin Rian for inclusion in the eNews Blast.
In this week's edition of the RISC eNews Blast:
DATA SECURITY & CYBER RISK
Phishing at root of elaborate cyberattacks (First Coast News, 9/4/2013): Spear phishing is an ever-greater cyber-security threat. Hackers are willing and able to do significant research to create messages that appear to be from trusted sources and are convincing enough that even the well-trained wary are willing to click on attachments. Frequently the connection exploited is that between supervisor and subordinate. The hacker’s goal is to obtain the user name and password of employees with privileged access to targeted databases and applications. It is therefore especially important for pools and their members to ensure that employees with privileged access are especially well trained about detecting spear phishing attacks.
Managing Employees: BYO Devices (Mondaq, 9/3/2013): Having up to date policies and good document management practices and infrastructure are among the most important measures an organization can take to protect its information in a BYOD environment.
Establishing an Analytics Culture in Public Safety (Government Technology, 8/29/2013): We hear a lot about how the collection and analysis of Big Data for operationally useful patterns (“analytics”) adversely affects privacy. Much of the discussion focuses on corporate America, but here is a discussion about the advantages that Big Data offers to public safety agencies, and one successful approach to introducing an analytics-led approach to police work. Privacy is not addressed, but it should be an important concern for any department seeking to mine its information for purposes of implementing an analytics program.
US Research Warns of Blurred Lines Around Device Security and Ownership as Enterprises Move Further Into Post-PC Era (Yahoo Finance, 8/29/2013): A private vendor survey documents how personal and enterprise owned technology are increasingly melding in the workplace. The trend of downloading personal applications and software onto enterprise owned devices is especially noticeable in work populations up to 38 years of age. Workers who keep enterprise content on personal devices tend to be younger, up to 24 years of age. Regardless of the workforce’s age, the challenge for the organization is to develop a strategy that manages the interplay of personal and enterprise technology in a way that protects the enterprise systems and information while enabling employees to use their own technology to be more productive.
New York Times site hack shifts attention to registry locks (COMPUTERWORLD, 8/29/2013): The recent hack of the New York Times website by the Syrian Electronic Army demonstrates the vulnerability of website hosts to attacks on their domain name registrars, and to attacks on those registrars’ resellers. A mechanism called a “registry lock” may help protect the website by requiring manual verification and authentication of changes by the top-level domain owner, such as Verisign for .com sites. Even many large organizations do not have a registry lock in place, so they are unlikely to be adopted uniformly by pools and their members. However, the technology is worth monitoring in case it becomes more practical, and necessary, in the future.
How cyber-risk savvy are you? (ABA Banking Journal, 8/27/2013): This article links to a cyber-security and cyber-risk survey issued by the New York State Department of Financial Services in May, 2013. It is an extensive survey, but not difficult to understand for lay persons, and is an enlightening potential checklist for a cyber risk assessment by pools.
The Unthinkable Risks of the Cloud (CFO, 8/27/2013): The assets of even major cloud players like Amazon, Google and Microsoft may be inadequate to cover their customers’ damages if there is a major security breach. That is why those vendors severely restrict their liability in their customer agreements. Cloud providers’ insurers are likewise concerned that aggregation of their exposures in a major event could stretch their ability to respond. Cloud users should understand that they are unlikely to be able to effectively transfer all their potential losses to the vendors. To protect themselves, they will have to carefully assess their remaining risk and make arrangements to manage it on their own.
Napolitano Says U.S. Will Suffer “Major” Cyber-Attack in Future (Claims Journal, 8/29/2013): Outgoing Homeland Security Secretary Napolitano said in her farewell remarks that the U.S. will experience a cyber attack that will cause major disruption in U.S. lives, the economy, and every day functioning of society.
Treasury Issues Proposed Rules for Information Reporting by Employers and Insurers Under the Affordable Care Act
(U.S. Treasury website, 9/5/2013
): The U.S. Treasury issued proposed regulations that would ease the amount of information large employers would have to report on employees’ health coverage. Under the proposed rules, employers would only have to report the cost of information related to single coverage – not family coverage. The health care reform law affordability test only applies to single coverage for purposes of determining eligibility for a federal premium subsidy. If an employee gets the subsidy, the employer may be responsible for a penalty regardless of how much they pay for family coverage. Stakeholders are invited to submit comments on the proposed rules through early November. Reporting entities will be encouraged to voluntarily report information in 2014 with full implementation in 2015. Access the proposed rules here
. IRS Adopts A "Place of Celebration" Rule In Implementing The U.S. Supreme Court’s Windsor Decision
): The IRS recently decided to treat same sex couples that are legally married in any jurisdiction as being legally married for tax purposes no matter where they live. This decision will enable employers to treat all their married employees in a uniform manner for benefit purposes. Pools that operate benefit programs will see the effects of the IRS decision whether or not their state recognizes same sex marriage.
Background Check Policies Exposing Employers to Legal Liability (Mondaq, 8/29/2013): The EEOC says that in most cases automatically excluding applicants from employment based on background checks has a disparate impact on minorities. The EEOC advocates an individualized process that looks at the nature of the conviction, the job applied for, and the time since conviction. Some states have adopted “ban the box” legislation that limits when in the application process employers can ask about criminal convictions. Pools can provide training and consultation to help their members balance compliance with the law with the member’s legitimate need to protect citizens and public employees by conducting appropriate background checks.
Arkansas lawsuits test fracking wastewater link to quakes
): An Arkansas federal district court case scheduled to go to trial in March 2014 seeks relief for a series of earthquakes that allegedly resulted from injection deep underground of wastewater from fracking wells. The plaintiffs are residents of an area that experienced a swarm of more than 1,000 minor earthquakes in 2010 and 2011. The defendants are the wells’ original owner and a company that purchased its assets in 2011. The wells were closed when scientists found a possible connection between the earthquakes and wastewater disposal practices. Approximately 40 lawsuits have been filed in eight states seeking redress for various harms resulting from fracking, but so far none have made it to trial. At present, cities do not seem to be likely targets in such litigation, because most of the regulation is at the state and federal level. However, involvement of a city or a city agency in decisions relating to the siting of a well and wastewater injection sites might result in more exposure than is presently expected.
MEDICARE SECONDARY PAYER
NGHP Town Hall Teleconference - Possible New Movement on the SMART Act and Reoccuring Themes (Franco Signor, 8/5/2013): This blog summarizes the July 25, 2013 CMS Town Hall Teleconference for Mandatory Reporting and Liability, No Fault Insurance and Workers’ Compensation. The full transcript is available here.
PROPERTY & CASUALTY
Fitch: Market Cycle Reaching Peak; P&C 2013 First-Half Profitability Improves
(Property Casualty 360, 8/30/2013
): Fitch Ratings has released a report concluding that the current pricing cycle may be reaching its peak. According to the report, property and casualty insurers and reinsurers realized increased profit during the first six months of 2013, as compared to 2012. However, rate increases are slowing and reinsurance price competition is intensifying. Moody's: US P&C rising rates boost margins, likely to continue over medium term
): A 2013 Moody’s survey finds that insurers are continuing a moderate decline in risk appetite in 2013. Rate increases are expected to continue into 2014 but the size of the increases is expected to taper off. Workers’ compensation loss ratios are expected o continue falling in 2014, but due to low investment returns, further rate increases are expected. Outsourcing Claims Functions - Part One in a Three Part Series on Outsourcing Claims Handling
(Claims Journal, 8/27/2013
): Some insurers are considering outsourcing their claims functions, generally with the goal of achieving cost savings. Outsourcing carries the risk, however, that the savings will be offset by increased costs due to inadequate control of claims. Often results will deteriorate because the insurer does not have the same degree of control over those performing the work as it would have with its own employees. It may be beneficial to outsource to specialized vendors that can provide access to better methodologies, tools and practices than exist in-house, and outsourcing may also free up key staff for other initiatives. Before deciding to outsource, however, insurers should carefully consider what they are trying to accomplish and what controls will help them achieve those objectives in an outsourced environment. Trend of Claims Outsourcing Driven by Finance Execs, New Managers - Part Two in a Three Part Series on Outsourcing Claims Handling
(Claims Journal, 8/28/2013
): Outsourcing claims functions can be a cyclical proposition, which looks good financially until deteriorating results prompt a fresh look at bringing claims back in house, where control is better. It may be more appropriate for some lines of coverage than others. For example, lines of coverage that require special expertise not possessed by the insurer or lines of coverage that do not have a personal injury component may be appropriate for outsourcing. Another approach is to outsource individual functions rather than all functions for a line of coverage. Examples of more readily outsourced functions include fraud investigations, document processing, first notice of loss and medical bill review. In some cases, predictive analytics is being used to identify claims to be outsourced and those to be retained in-house. Risks of Outsourcing Include Vendor Control, Brain Drain - Part Three in a Three Part Series on Outsourcing Claims Handling
(Claims Journal, 8/29/2013
): Less interaction among claims, loss control and underwriting is one of the risks of outsourcing claims functions. Other risks include conflict of interest for a vendor that is serving both the insurer and its competitor, and lack of oversight, leading to lower quality service. In an outsourced environment, audits of the vendor’s performance should include long term performance tracking to ensure that issues are identified and correct early.
State Social Media Account Laws for Educational Institutions
): Nine states presently have laws limiting educational institutions from requiring students to disclose social media user names and passwords. Eleven states have similar laws for employers. Generally, these laws apply to public and private postsecondary institutions. They prohibit institutions from requiring students to provide information and from retaliating if they refuse. Some states have exceptions for certain types of investigations. Some states provide for enforcement through civil actions and other provide for criminal penalties.
OTHER TOPICS OF INTEREST
Half of states lack disaster plans for schools, day care
(USA Today, 9/4/2013
): More than half of states do not impose minimum emergency response standards on schools or day care centers. Pools that cover schools in states where the law does not impose standards may want to include emergency preparedness and response in their training programs.
2013 NLC-RISC Staff Conference - Registration and Preliminary Agenda Now Available!
(October 21-23, 2013 at The Nines in Portland, Oregon
): The NLC-RISC Staff Conference Provides staff of state municipal league-sponsored risk pools with the opportunity to learn about trends, programs, services and best practices in a variety of coverage lines and functional areas, and offers a great opportunity to network with pool staff from across the country ~ all in a non-competitive, collaborative environment! A preliminary agenda and online conference registration, as well as hotel reservations can all be found on the 2013 NLC-RISC Staff Conference Event Page. Contact Erin Rian
with questions or concerns. Southern Municipal Conference IT Conference
(October 16-18, 2013 in Columbia, South Carolina
): The Southern Municipal Conference has sponsored the SMC IT meeting for 11 years. The group meets twice each year to share the IT experiences of each league and/or Risk pool. Presentations by IT experts on the latest hardware and software help keep the participants up to date on the cutting edge of technology. Registration for the SMC IT Group meeting is open to all State Municipal Leagues and League Risk Pools.
Property Inspector - Rhode Island Interlocal Risk Management Trust: Property Inspector for non-profit self-insurance pool for RI local governments. Provide detailed loss prevention inspections, identify potential hazards and design preventive programs. Extensive field work. Knowledge of governmental risks and OSHA Construction Standards. Undergraduate degree in insurance or risk management preferred. Professional certifications/designations (ARM, NFPA, OSHA) desired. 3-5 years field experience. Proficiency in Microsoft Office. Salary commensurate with education and experience; excellent fringe benefits. Resume ASAP to Brian T. Ahern, Director of Risk Management Services, RI Interlocal Risk Management Trust, 501 Wampanoag Trail, Suite 301, East Providence, RI 02915; by fax to 401-438-6990; by email to email@example.com.