Please ensure Javascript is enabled for purposes of website accessibility
Contact Us | Sign In | Join
The IIAW Blog
Blog Home All Blogs
Stay up-to-date on all insurance industry news and happenings with The IIAW Blog.

 

Search all posts for:   

 

Top tags: wisconsin insurance blog  insuring Wisconsin  wisconsin insurance agency help  wisconsin independent insurance association  big i buzz  government affairs  wisconsin independent agent  IMS  COVID-19  Independent Market Solutions  risky business  Agency Operations  remote work  errors and omissions  insurance bartender  virtual university  IIAW  market access  market access program  E&O Risk Management  commentary from counsel  insurance industry  personal lines  commercial lines  insurance news  catalyit  commercial property  digital agency  OCI  online community 

Annual Cyber Security Certification Deadline Looms
Posted By Kaylyn Staudt, Wednesday, December 14, 2022

2021 Wisconsin Act 73 created new requirements related to insurance data security that applies to all insurers, intermediaries, and persons required to be licensed, authorized, or registered under Wis. Stats. chs. 600 to 655. This email contains the information your entity will need to comply with this requirement. Additional information regarding these requirements is available on OCI’s website at https://oci.wi.gov/Pages/Cybersecurity.aspx.

Wis. Stat § 601.952(8) requires that licensees provide an annual certification to OCI that the licensee is in compliance with the information security program requirements of Wis. Stat. § 601.952. Licensees must maintain records that support the certification for at least five years and shall produce the records when requested by OCI. The certification requirement only applies to licensees who are domiciled in the state of Wisconsin.  Annual certifications are required to be provided to OCI not later than March 1 every year beginning in 2023. 

  • The certification form will be included in insurers' annual financial packets.

  • Intermediary firms and other business entities licensed by Agent Licensing must submit a certification form. Certify compliance with the information security program requirements here .

  • Individual producers are not required to submit a certification form; the exemption for licensees that have fewer than 50 employees would apply.

Note: Completion and submission of the annual certification form is required even if the licensee maintains that it is exempt.

Step-by-step tips for completing the Cybersecurity Certification Form:

1.     The certification forms will be submitted electronically at https://public.oci.wi.gov/finform/public/cybersecurity on or after January 1, 2023.

2.     We recommend that you use the Chrome browser.

3.     Enter the licensee’s NPN: After you enter the first 3 digits of your NPN, you will see a list of licensees. Clicking on your entity’s name will bring up the certification form. The form will be prepopulated with the licensee’s name, license type and NPN.

4.     Choose the Filing Year from the drop down: The certification attests that the licensee complied with the cybersecurity requirements during the prior calendar year. For example, the certification submitted by March 1, 2023 attests that the licensee was in compliance during the calendar year 2022. You should only choose the prior calendar year unless you receive a request from OCI.

5.     Exemption: If the licensee is claiming an exemption, check all boxes that apply. You may also add information in the text box.

6.     Attestation: Be sure to check the attestation box

7.     Enter the name of the contact person and his/her email address

8.     Submit: The Submit button is on top right of the form. If you get an error message, review the form to verify that all required information is entered.

9.     Download the pdf: Be sure to save or print the completed form for your records. Licensees are required to maintain records supporting the certification for at least five years.

Questions regarding the Cybersecurity Annual Certification form should be emailed to: OCICyberReport@Wisconsin.gov with the subject line: Annual Certification Form.  IIAW Members are also encouraged to contact the Matt Banaszynski, CEO of the IIAW with any questions pertaining to compliance. He can be reached at Matt@iiaw.com or by calling 608-256-4429.


Tags:  cybersecurity  insuring Wisconsin  wisconsin independent insurance association  wisconsin insurance agency help  wisconsin insurance blog 

PermalinkComments (0)
 

Commentary from Counsel - IIAW Ransomware Coverage
Posted By Administration, Wednesday, April 29, 2020

By: Josh Johanningmeier | IIAW General Counsel

* This article was featured in our April 2020 Wisconsin Independent Agent Magazine. Click here to read the full April 2020 issue. 

Computer Lit Up

Federal Court Rules Business owners Policy Covers Ransomware Attack Damages

 

In late January, the United States District Court for the District of Maryland, in National Ink & Stitch, LLC v. State Auto Property & Casualty Insurance Co., ruled that a business owners policy provided coverage for an embroidery and screen-printing business that had fallen victim to a ransomware attack.  The court described its decision as a continuation of a nationwide trend of courts finding coverage for loss of data or systems functionality following a cyber-attack.  Implicit in the court’s decision may have been a recognition of the increasing frequency and severity of ransomware attacks across the country.  It is critical that you and your agencies also take note of these trends.

 

The National Ink & Stitch Case and Decision

 

In December 2016, National Ink & Stitch suffered a ransomware attack, which prevented it from accessing all art files and other data contained on its server along with most of its software.  The attacker demanded payment in the form of bitcoin to release access to the software and data, which National Ink & Stitch paid.  However, the attacker then requested further payment.  At that point, National Ink & Stitch contracted with a security company to replace and reinstall its software.  While the business’s computers functioned after the reinstall, the new protective software slowed the system.  Further, National Ink & Stitch still does not have access to the lost data, meaning it has to reproduce all of the lost art files.  Finally, computer experts found that it was likely there are still remnants of the virus on the business’s computers, which could ultimately “re-infect the entire system.”

 

Due to past and continuing damages resulting from the attack, National Ink & Stitch presented a claim to its insurer, State Auto, for the cost of replacing its computer system.  The relevant business owners policy states that State Auto “will pay for direct physical loss of or damage to Covered Property…resulting from any Covered Cause of Loss.”  The policy defines “Covered Property” to include “Electronic Media and Records (Including Software).”  However, State Auto denied the claim, finding its insured did not experience “direct physical loss of or damage to” its computer system under the policy. National Ink & Stitch then sued to resolve the coverage dispute.

 

Ultimately, the court held that State Auto’s policy did provide coverage for National Ink & Stitch’s losses.  The court began with the policy language, which explicitly includes “data” and “software” within the definitions of “Covered Property.”  The court also construed the phrase “physical loss or damage” to include the inefficiency of National Ink & Stitch’s computer system following the installation of protective software, finding that a computer can “suffer ‘damage’ without becoming completely inoperable.”  While the court came to its conclusions based on an analysis of Maryland state law, it noted that its interpretation tracks with holdings “reached by the majority of courts interpreting similar policies.”

 

 Now What?

 

Before getting to the potential effects of this ruling on your agencies and clients, it is important to understand the basics.  Ransomware is a computer virus that effectively holds a computer, or an entire system, hostage until a fee is paid.  Ransomware attacks have become increasingly common in recent years.  In the first four months of 2019 alone, there were more than 40 million ransomware detections.  Experts predict that by 2021, a business will fall victim to a ransomware attack every 11 seconds.  Further, the costs for businesses targeted with ransomware can be incredibly high.  The total damages associated with ransomware in 2019 surpassed $11.5 billion, or an average of $141,000 per incident.  In other words, this problem is common, it’s expensive, and it’s not going away any time soon. 

 

So what does this all mean for your agency?  To start, as reflected by the National Ink & Stitch decision, courts across the country have begun to construe business owners policies to cover damages arising from ransomware attacks.  Given the severity and frequency of the problem, and its effects on organizations ranging from multi-national corporations to small towns, courts are unlikely to reverse this trend.  As a result, it is critical that you and your agencies understand the policy language you are presenting to your clients and the coverage they are requesting.  Further, it is increasingly important to have connections with consultants, lawyers or firms that have expertise in not only insurance law, but in the expanding field of data privacy and cybersecurity, so that evaluating response strategy, security planning and coverage can be accomplished.  

 

Conclusion

 

Ransomware attacks may soon become a daily headache for your business clients.  In order to recoup some of the costs associated with these attacks, those clients are likely to bring claims under their business owners policies.  If past is prelude, courts may be sympathetic to those claims and you need to be prepared to handle coverage requests and claims arising from these attacks.

Tags:  commentary from counsel  cybersecurity  ransomware 

PermalinkComments (0)
 

Risky Business - Friend or Foe? Don't be a victim of social engineering
Posted By Kaylyn Zielinski, Wednesday, April 29, 2020

By: Mallory Cornell | IIAW Vice President and Director of Risk Management

* This article was featured in our April 2020 Wisconsin Independent Agent Magazine. Read the full April 2020 issue here

As a true crime junkie, the idea of social engineering is intriguing to me; it also presents a significant risk for our members. We are aware of at least two instances of social engineering at our member agencies in 2020 and unfortunately there are likely to be more by year end. To try to prevent additional ‘attacks’, here is some education to share with family, friends and colleagues – because knowledge is the best defense against this type of criminal. 


“Ask any security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. It doesn’t matter how many locks and deadbolts are on your doors and windows, or if have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel; if you trust the person at the gate who says 

he is the pizza delivery guy and you let him in without first checking to see if he is legitimate you are completely exposed to whatever risk he represents.” (“What is Social Engineering?”)


Social engineering is when a cyber criminal manipulates a person into providing confidential information. This act is typically done by either posing as a friend or posing as someone you know or by posing as a friend or by acting as another trusted source (think vendor or customer). 


Friends


Oh look, grandma forwarded a cute email chain!


If you receive something that you need to “click on the link” to access or that you need to download, pause and think twice about what (or who) might be hiding behind that request. Links and downloads are some of the easiest ways for has hackers to gain access to your computer, email accounts, social media accounts and contact lists. 


Trusted Sources


I need to make this payment! 


According to an annual data breach report from Verizon, phishing attacks and pretexting are responsible for 93% of successful data breaches. The reason for their success might be the tactics that are used to get the attention of the person on the receiving end. Here are examples of what to look for so you can avoid an expensive breach.

• Displays an urgency to help a friend in need

• Seems to come from a familiar sender either as an email, text, instant message from a well-known company, bank or other institution

• Request for a charitable donation

• Request for you to verify information

• Notification that you’ve won and need to claim your prize

• Posing as a boss or colleague 


It would be very difficult, if not impossible to avoid becoming a target, but you can arm yourself with knowledge so that you don’t fall into a spammers trap. Educate yourself and all employees about what to look 

for to keep your information safe.

Tags:  cybersecurity  phishing  Risky Business  social engineering 

PermalinkComments (0)
 

Contact Us

Independent Insurance Agents of Wisconsin
725 John Nolen Drive
Madison WI 53713

Phone: 608.256.4429
Fax: 608.256.0170
Agents Assistance Corp ePayPolicy - Pay Your E&O Premium
IIAW ePayPolicy - Membership Dues and Event Invoices

Quick Links

Privacy Policy
Content Agreement
Terms of Use
Antitrust Policy
Bylaws
About Us
Blog
Membership
Learn/Educate
 Member Benefits
Insurance for Your Agency
InsurCon
Terms of Use: By continuing to visit iiaw.com, you acknowledge that the information provided by the IIAW will not be shared outside your agency with any non-IIAW member, organization or other non-affiliated party. The resources found on the IIAW website and within IIAW printed and digital materials were created to benefit the independent agency channel and cannot be recreated, copied or shared without the written permission of the IIAW. By continuing to visit our site, you agree to the Terms of Use and Content Agreement.  Please read our Content Agreement and Terms of Use for more details.