Cyber Risk Management: Train your Employees!!

Picture1written by Rebecca Gomez

Studies have shown that most breaches affecting organizations are not committed by nefarious unknown forces, but from their current or former employees. Experts in the cyber intelligence community found that 60 percent of all breaches affecting organizations have been carried out by individuals within their organization, who intentionally or unintentionally, take sensitive information when they depart. From the 60 percent of breaches committed from within the organization, 44.5 percent were done maliciously by employees and 15.5 percent were done inadvertently— accidentally opening malware, sending sensitive information to incorrect e-mail addresses, or losing a company laptop. It is imperative that your organization be proactive to prevent breaches.

Employees have more access to information than in previous decades. The internet has transformed the internet boundaries allowing employees to bring company data outside of the organization. It is important that any one individual employed at your organizations, whether small or large, should not have full-unrestricted access to all sensitive company information.

Breaches can be prevented by creating, implementing, and educating employees on policies and procedures. Most employees may not be aware they are violating company policy if they are downloading information to take home. That is why it is important to train your employees on proper usage and protection of their workplace computer system and digital information. You should also set up procedures that block employees from being able to copy sensitive information.

Being proactive in protecting your organization is key. A cyber policy can further help protect your organization against the costly expenses associated with a data breach. Let us know if you have any questions regarding Cyber risk management or Cyber Liability Insurance. We are here to help.

Are You Ready for the New Year?

Be Prepared or it Can Cost You! 








As the New Year begins, it is important for every organization to review their risk management procedures by addressing any weaknesses to prevent potential accidents that lead to costly claims. One risk management tool to assist in mitigating the costs of claims arising out of your organization’s operations is to have adequate insurance coverage in place. Without proper insurance coverage, one lawsuit or a catastrophic loss can close down your operations.

While there are numerous insurance coverages available in the marketplace, the following are basic coverages that every organization should consider:

  • Commercial Property Insurance covers your building, personal property, and equipment in the event of a fire, theft, storm, and other perils outlined in the policy. Consider adding Business Interruption and Equipment breakdown coverages to the property policy. Make sure that you insure your buildings and personal property/equipment to reflect the replacement cost value [cost to restore or replace damaged property without deduction for depreciation]. The failure of adequately insuring your property (at least 80%) can result in a co- insurance penalty. Co-Insurance penalty reduces the amount of recovery that you may expect to recover if you under report the value of your Consider purchasing flood and earthquake insurance, since most property policies exclude damage or losses resulting from earthquake and flood.
  • General Liability Insurance provides coverage for liability claims from a third party (such as a client, vendor, visitor, etc.) for Bodily Injury and Property damage due to negligence. Most General Liability policies include liability coverage for Products/Completed Operations and Personal Injury (i.e. slander or libel).
  • Volunteer-Accident Insurance covers individuals who donates their work to your organization without pay. Coverage is triggered when those individuals are injured while performing duties related to the conduct of your business.
  • Workers’ Compensation covers the medical treatments, disability, and death benefits of employees who are injured or killed during the course of employment. In California, employers must carry worker’s compensation if they hire employees. It is imperative that every organization ensures their work environment is safe as claims history is one of the factors that determines
    Directors & Officers Liability and Employment Practice Liability Coverage: Coverage for Directors and Officers liability can be stand alone or coupled with other coverages such as Employment Practice Liability. It is important to read the policies terms, conditions, and exclusions of your policy and review the coverage with your attorney. It is also important to check if your policy’s defense limits is inside or outside the liability
    1. Directors & Officers Liability- the Board of Directors is ultimately responsible for the nonprofit organization. It is therefore important that they are informed of their legal liability, risk management program, and the organization’s insurance coverages. Directors and officers liability protects the individuals who serve on an organization’s board of directors against claims brought by employees, vendors, or other parties for alleged “wrongful acts” in the management of the organization. There is no standard coverage policy form. Therefore, it is important to read the terms, conditions, and exclusions of the policy. For example, the definition of “insured” differs among insurance
    2. Employment Practices Liability – Employment Practice Liability protects the organization against claims made by employees alleging discrimination, wrongful termination, harassment, and employment related issues. Most carriers do not insure Wage and Hour claims in California but some may offer a defense sublimit for wage and hour
  • Umbrella policy’s purpose is to protect your organization against a catastrophic liability loss. The Umbrella policy is a form of liability coverage protecting the policyholder for claims in excess of the limits of the primary General Liability, Automobile, or Workers’ Compensation. Umbrella policies may also include a few other liability coverages, such as: Professional Liability, Employee Benefits Liability and Abuse & Molestation.
  • Crime (Fidelity Bond) Insurance provides a source for recovery of funds embezzled by employees or volunteers. If your CPA or Bookkeeper is an independent contractor, make sure they provide you with proof of their insurance (General Liability, Professional Liability, Bond, and Workers compensation policies). If they do not carry their own insurance, discuss this exposure with your attorney, as most crime policies will not insure the acts of independent
  • Professional Liability Insurance coverage that indemnifies the insured for third-party liability claims due to negligence in the performance of professional services. Professionals include Doctors, Lawyers, Therapists, Social Workers, Engineers, etc. The Professional Liability coverage can be purchased as a separate policy or included under a General Liability policy form. However, most standalone professional liability policies are written on a claim made policy form. Therefore, be aware of the retroactive date listed on the policy.
  • Abuse and Molestation Coverage can be critical for social service organizations, especially those who work with children and vulnerable adults. There are no “standard” coverage form and before purchasing coverage make sure to read the terms, conditions, and exclusions carefully. Make sure to screen and supervise prospective employees and volunteers and review with your attorney to make sure your organization carries the adequate limits to protect your
  • Cyber Insurance is a special form of commercial insurance created to protect businesses against cyber (internet) risks, such as hackers and other breaches of computer system security. Also, check other insurance policies (such as General Liability and Directors & Officers) to determine if those policies carry cyber coverage, before purchasing a cyber policy. Claims resulting from cyber losses are on the rise and it is imperative to ensure that your organization has the proper controls in place to protect your data from a Most cyber policies are written on a claims-made basis, it is important to be aware of the retroactive date listed on the policy.
  • Automobile Liability covers organizations who use vehicles as part of their Company vehicles should be insured under a comprehensive commercial liability with limits high enough to protect the organization. If employees use personal vehicles for business, organizations should add hired and non-owned auto liability coverage to protect the business in the event the employee is in an accident.
Start the New Year off right by reviewing your risk management procedures. It is important that you review your current insurance coverages with your broker and attorney. Also, make sure your organization is in compliance by having your broker and attorney review your contracts.

Baker Romero offers an annual review of coverages as well as risk management and loss control services. Let us know if you have any questions regarding any of the coverages listed above or would like us to provide a quote. We are here to help and we wish you a happy and prosperous New Year.

**This article is intended only for informational purposes and not to be construed as legal advice.

Tips to Help Prevent Employee Theft

A recent report shows that the majority of employee thefts occur in small businesses burglar-157142_960_720with less than 150 employees. In most instances, trusted employees perpetuate employee theft.

The following are a few of the more common embezzlement myths, which fool administrators into complacency:

  • “Everyone who works here is a trusted employee.”
  • “Nonprofits rarely have to deal with embezzlement issues.”
  • “We are protected because the Audit will catch any embezzlement problems.”

Below are practical tips to help minimize employee theft within your organization:

  1. Establish best practices in the accounting department that include dual signature requirement or dual review of disbursements. There should be a separation in key business processes. Do not allow one person, including high-level employees, to have control over any function from start to finish.
  2. Provide training sessions for all employees to spot fraudulent activity and illustrate the damaging impact of fraud.
  3. Surprise audits are effective because fraudsters will not have time to destroy or misplace records.
  4. Thoroughly screen prospective employees (and volunteers) with a background check.
  5. If you contract with a bookkeeping service or an independent contractor, they should provide you with proof of their insurance including General Liability and Professional Liability.
  6. If fraud is suspected, immediately retain legal counsel to conduct an internal investigation. You should consider hiring a law firm with an expertise in embezzlement.
  7. Obtain the appropriate Crime Policy to protect your organization, as most liability and property policies will not cover employee theft. Make sure to carry high enough limits to protect your organizations’ crime exposure.

Crime policies (or Fidelity Bonds) can be purchased as a separate policy or included under the commercial business package. Crime policies require that you cooperate with the insurance company in the event of a loss. Proof of a crime usually requires a full investigation. A Crime Policy provides coverage for loss or damage of money, securities, or other property resulting directly from theft by an employee. Most policies exclude electronic data, unless covered by endorsement. Another option to consider is adding the Volunteer Endorsement in the event you hire volunteers to help in your accounting/bookkeeping department of if they handle funds.

According to the 2017 Hiscox Embezzlement Study, bookkeepers are the most common positions who commit theft followed by managers.  The most common embezzlement schemes include:

  1. Funds theft – employee takes cash or bank deposits, or employee transfers money into their own account.
  2. Check Fraud – Employee alters or forges check.
  3. Credit Card Fraud – Employee fraudulently uses employer credit card/
  4. Payroll Fraud – Employee uses payroll system to divert funds to themselves or family members.
  5. Vendor Fraud – Employee creates fictitious invoices.

A few warning signs of embezzlers include:

  1. Disgruntled employee.
  2. Diligent and ambitious employee who appears to be extremely involved in company matters.
  3. Employee with extravagant lifestyle.

Employers should not be complacent about instituting preventive measures. The reality is people steal from their employers work in an organization with an attitude of blind trust. Having strong internal controls and effective hiring practices will go a long way toward mitigating employee theft risks.

Call us if we can be of assistance or if you would like a quote for crime coverage.

**This is intended to be used for informational purposes only and should not be construed as legal advice. Consult with your attorney and CPA for advice on appropriate controls and policies. 

Back to Basics: Cyber Risk Management and Your Employees

By Rebecca Gomez

cyber lock

Addressing cyber security risk management procedures to all staff is critical to every organization. A recent report indicated two-thirds of all cyberattacks against organizations (large and small) result from employee negligence or malicious activities. The same report also indicated that external breaches only caused about 18 percent of cyberattacks. Human error, according to many studies, is the leading cause of cyber-attacks. Therefore, administrators and employees need regular training on how to identify and prevent cyber-attacks.

Minimizing cyber threats requires a cyber security plan that includes effective policies and procedures that account for legal compliance and data protection. These policies should include (not an exhaustive list):

  1. A bring your own device (BYOD) policy: governing whether or not an employee can use their own device to conduct business and the circumstances that deem whether or not personal cell phone use for business is appropriate.
  2. A password policy requiring the use strong and unique passwords that change at least every 6 months.
  3. Personnel policies that enhance security
  4. A network tracking policy requiring regular monitoring of network traffic for evidence of suspicious access.

Organizations should also have an incident response plan in place which outlines how a company will respond to suspected events. Implementing an incident response plan will help your organization to quickly investigate and remediate cyber-attacks. It will also outline the leaders of the response team and their responsibilities implementing the response plan.  The board of directors should be informed of the organizations cyber security program and exposure, as they are ultimately responsible.  Brown & Streza offers a unique proactive approach to a Data Security Breach plan that can help your organization prepare in the event of a breach.

Cyber Risk Insurance should be considered as part of your risk management plan (and not your only plan). A Cyber Risk Insurance policy can offer nonprofit organizations with affordable protection. There is no “standard” cyber policy form and administrators should review their cyber policies to understand what coverage their policy provides. Most standalone Cyber policies offer forensic investigation coverage, system restoration costs, defense and indemnity costs associated with litigation resulting from the loss of personal information, or other sensitive data and defense costs and penalties associated with regulatory investigations. Most General Liability policies now exclude coverage for cyber-related claims.

Please let us know if you have any questions regarding cyber risk management or would like us to provide you with a quote. (see attached application)

Cyber Risk Management and Cyber Liability Insurance

By: Rebecca Gomez


Last weekend, a ransomware virus known as “WannaCry,” affected 150 countries and more than 300,000 people. Ransomware is a cyber attack where hackers encrypt files from their victim’s server and holds them for ransom. In the case of “WannaCry,” the hackers demanded $300 to restore their data.

An important lesson to take from this incident is that no one is 100% safe from cyber crime. If the appropriate measures to protect your data are not diligently taken, your organization is vulnerable and recovering from a cyber attack can be costly. The Hiscox Cyber Readiness report stated that last year alone, cyber crime has cost the global economy $450 billion.

Below are some risk management tips your organization may want to consider regarding cyber risk:

  • Conduct regular back ups of systems
  •  Have strong passwords that are unique which provide a barrier against intrusions
  • When using unfamiliar websites, make sure the URL begins with https. The “s” indicates that the site is secure.
  • Continually install the updates your browser and operating system (including anti-virus and anti-spyware) requires.
  • Be aware of the e-mail you receive: if the deal sounds too good to be true, be very skeptical. If you receive a message from your co-worker, employer, or someone you know and it sounds out of character, or includes nothing but a link in the body of the email, it may be suspicious. Check with the sender and make sure it is legitimate. This could be a phishing fraud.
  • Do not use an unprotected Wi-Fi network for your business, always require a password and do not conduct business where there is public Wi-Fi.
  • Password Protect smart phones and computers
  • Train employees on cyber risk management

The “WannaCry” ransomware incident serves as a good reminder to keep current with system updates and to contact your IT person to check your organization’s software for vulnerabilities. Good data security is key to protecting your organization.

Cyber Liability insurance should be part of your organization’s risk management program.  If you have a Cyber Liability policy, be sure to review it and understand the terms and conditions. Many cyber policies offer effective loss control services to help protect your organization. Let us know if you have any questions regarding Cyber Liability or would like us to provide you with a quote. We are here to help.

Cyber Threats: Be Prepared.

As hackers and cyber thieves are becoming more technology literate, the scale and cyber picsophistication of cyber-attacks are increasing. In San Francisco, for example, the San Francisco Municipal Transportation Agency (SFMTA) became victim of a ransomware attack.  A user (in SFMTA case an employee) unknowingly downloaded the malware on their computer which then was seized by the cyber criminals’ ransomware. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.

The internet is not a stable institution as many believe. Web companies have tight security protocols that are dedicated to network security infrastructure. In October, Dyn, a web company that controls the internet domain name system, was attacked. Their system was infected with “botnets,” a malware that is designed to bombard a server with traffic that overwhelms the server and crashes.

These are two examples that prove no one is 100 percent safe from cyber-attacks. Tracey Vispoli, President at Berkley Cyber Risk Solutions advises that, “Everyone should assume at some point their data will be viewed by an unauthorized person or group of person with the intent to disrupt, destroy, or hack that information for their own gain or purposes.”

Cyber threats can have an impact on all insurance policies. In reviewing insurance policies, organizations should look for where coverage exists and where there’s a gap. Some policy forms include data breach exclusions while others include some coverage but may not be sufficient in recovering lost data and other expenses accrued from a loss.  As cyber threats are becoming increasingly common, cyber policies will also evolve, according to Manny Cho, executive vice president at Risk Placement Services, Inc.

Cyber risk management is a good practice that organizations can do to help protect themselves from losses. But what should organizations do in the event they fall victim to a cyber-attack? Having a cybersecurity strategy can be a good defense. Christopher Roach, Risk and Advisory Services managing director for CBIZ, has a 3R strategy that can be helpful in the event of a breach.

  1. Recognize: Organizations need to find the source of the incident. Finding the source is important to help minimize the damage. Roach states to look to internal controls. Monitor logs and access to networks to find signs of breaches.
  2. React: Cut off access point to slowdown the hacker and attempt to preserve the environment that has been compromised. Proactive monitoring, training employees or other IT users, and layered security. Law requires that if any identifiable information has been compromised, the affected parties must be notified. Check with your attorney for more information in the event a breach of this nature occurs. Forensic analysis should be conducted and organizations should look for a tech company that is experienced with cybersecurity risk mitigation.
  3. Recover: Organizations need to fix the vulnerable areas that led to the breach and discuss what they can do to better secure their data. After they fixed that, Organizations should be implementing a risk management program and do periodic cyber risk assessments.

A cyber insurance policy should be considered as part of your risk management plan. Most policies are designed to protect your organization from various types of cyber threats. For more information regarding cyber policies or if you would like us to provide a quote, let us know. We are here to help.

*This article is intended to be used for informational purposes only and not to be construed as legal advice. 

Protect Your Organization: Cyber Risk

Protect Your Organization: Cyber Risk 

By: Rebecca Gomez

“A company’s cybersecurity is only as strong as its weakest link“-Nicole HungDow Jones News Service 2015

According to a recent article in Rough Notes (March 2014), cyber-attacks against smaller businesses (with fewer than 250 employees), have increased significantly over the past two years. Criminals have learned that small businesses have valuable data and is relatively easy to get because often small business owners skimp on security measures. A company which obtains confidential information (Social Security Numbers, Drivers’ License numbers, bank account numbers of employees or clients, etc.) carries a significant cyber risk exposure when they rely on a computer network, allow laptops or access to their network from a remote location, and/or provides online access to sensitive data.

A more recent report by The Dow Jones News Service indicates that employee error is one of the most common reasons for data breach at companies. For example, an employee can make a mistake by accidentally sending an email with sensitive information to someone outside the company. According to the article, thirty percent of breaches have occurred as a result of employee error. Another reason for a data breach is when third parties send spam emails designated to trick employees into giving their personal information.

There are many misconceptions when it comes to Cyber Security, below are just a few examples:

  • “I’m a small organization so I am not a target for hackers.”
    Statistics show that breaches affect organizations of all sizes. In fact, Organizations under 100 employees accounted for thirty-one percent of the breaches in 2013, according to the Verizon Data Breach Investigation report.
  • “I outsource my data to a 3rd party vender (data center/cloud provider).”
    Most data centers/cloud providers do NOT accept liability in their service agreements. Check your contracts.
  • “My IT security is top notch.”
    Even the most sophisticated IT security systems cannot protect against human error or intentional acts of employees. This is not just an IT issue, but an issue for other stakeholders within an organization (HR, Finance, Operations, and Board of Directors).
  • “My funding sources do not require that I purchase cyber coverage so it must be covered under one of my other policies.”
    Most commercial General Liability and Property policies will not cover data loss suffered by a non-profit because electronic data is excluded from most policies. Some insurance companies are now adding limited coverage to their policies.

The following are a few basic tips for businesses to protect themselves against cyber criminals:

  1.  Continually train employees in security principles
  2. Protect information, computers, and networks from viruses, spyware, and other malicious code
  3. Provide firewall security for your internet connection
  4. Make backup copies of important business data and information
  5. Secure your Wi-Fi networks (make sure that it is secure and hidden)
  6. Regularly change passwords and make sure they use strong passwords that will not be guessed easily (such as “1234” or “password”)

What security measures does your organization have in place to protect your data from a breach?

Do you have a Crisis Management plan?
Who is going to deal with the regulatory requirements?

Review/ Update H.R. Policies:

  • Document Retention:
    Having a document retention policy and procedures in place to properly discard and destroy files containing Personally Identifiable Information (PII)
  • Equipment Usage
    Develop an effective E-mail and Internet User Policy. Employers should monitor use of system and devices to maintain the policy’s integrity. Employers should consider requiring employees to acknowledge in writing that they have received and reviewed these policies and procedures.
  • Bring Your Own Device (B.Y.O.D.)
    There are risk management concerns when employees bring their own devices (smart phones, laptops, tablet) for business use.Employers can fail to protect organizational data by:Losing a device that contains sensitive data. (employee error), Exposing the business’ network to malware located in the employee’s device
    Retaliating against the organization by destroying essential data (Employee intentional act).Develop a B.Y.O.D. policy that outlines which devices and operating systems the organization will support and require all devices to be accurately password protected. Determine which functions employees can access from their personal devices (email, word documents, etc.)  Note that some Cyber Liability Insurance excludes B.Y.O.D. claims.

Cyber Insurance

A special form of commercial insurance created to protect business against cyber (Internet) risks, such as hackers and other breaches of computer system security. However, there is no standard policy form for Cyber Insurance, so look for a policy that provides broad and comprehensive coverage and includes Crisis Management Services.

Cyber Insurance should be considered part of your overall risk management plan.

If you have any questions regarding Cyber Insurance please do not hesitate to ask.

Risk Management tips for your Volunteer Program

Organizations that engage volunteers in their operations should take special care to manage the risks associated with volunteer service. The following risk management strategies can help minimize the risk of volunteer service in your organization and maximize the benefits that volunteers bring to an organization:

  1. Use a volunteer application form to collect information from anyone who wishes to volunteer at your nonprofit. The application should be reviewed and checked for references. If the volunteer is providing direct services to your clients or vulnerable populations (i.e. children, elderly, disabled), a screening procedure should include criminal history background checks and reference checks.
  2. Obtain the volunteer applicant’s permission to verify any and all information on the application.
  3. Use a Volunteer Agreement to set forth the terms of the volunteer’s position in the organization. The volunteer agreement should be customized and based on the work that the volunteer will perform for the nonprofit.
  4. Provide an orientation and training program to make sure the volunteer thoroughly understands his responsibilities and its limitations. The orientation program should also include a grievance process that provides the volunteer information on how to express dissatisfaction or concerns within the organization.

If you have any questions feel free to call us.  We are here to help.
*Always consult with your attorney to review all agreements.

Cyber Crime and Risk Management

The prevention of cyber crime is critical to all organizations. Having the proper security protocols in place will go a long way toward protecting your organization from a cyber attack.

There are several areas of vulnerability when it comes to cyber fraud. Protecting your data requires various layers of protection within your organization. A good place to focus is with your employees as they are a critical first line of defense in your risk management efforts. In order to implement an effective loss control program, train your employees on the use of email and develop an email usage policy.

Hold regular training meetings on basic security threats and prevention measures. Employees must be trained to identify risks associated with email use, as well as the ap- propriate use of email at work. Consider requiring security awareness training for all new employees and refresher courses every year for all staff. Develop an effective pass- word policy that requires the participation of all employees.

Security awareness could further be enhanced by the use of newsletters or bulletins. When a new virus or cyber attack is detected create a work environment that is educated in protecting your organization.

Your Email Usage Policy should be easy to read and enforced. The policy should include what the company email system should and should not be used for as well as what data is allowed to be transmitted. Have your HR professional or employment attorney re- view your Email Usage Policy.

Most General Liability policies exclude losses that result from a data breach. Be prepared! Call us if you would like a quote for Cyber Liability.


This is for informational purposes only.

Consult with your employment attorney.

“Celebrating over 28 years of insurance service to the community.”

Protect your Organization from Cyber Risks!

Baker, Romero and Associate’s President, Lillian Romero Gomez, and Michael Hellbusch, esq. from Tredway, Lumsdaine and Doyle presented a seminar on cyber risk and its legal issues at the 9th Annual Gianneschi Summer School for Non-Profits, California State University, Fullerton. A special thank you to Susan Cadwallader, Ph.D, Director of the Gianneschi Center for Non-Profit Research.