Category: Latest Thinking

By Lisa Vanore and Alexander Buzbee

Human services organizations are doing amazing work keeping individuals cared for and thriving in today’s world. However, even the most humane and well-intentioned organizations face myriad risks that can lead to costly lawsuits and damages when unprepared.

There is an expectation that organizations within the human services industry are in complete control of their participants and their surroundings. But the unfortunate reality is that accidents do happen. And without the right policies and procedures in place, incidents can be extremely damaging to a business’s bottom line and reputation.

Putting the right risk mitigation measures in place is more important today than ever before. Cultural shifts in societal attitudes are leading to juries awarding larger settlements to plaintiffs. In some cases, these settlements are astonishingly high. For example, a jury recently awarded $485 million in compensatory and punitive damages in a case involving child sexual abuse, with a single behavioral health organization left on the hook to pay $405 million of it.

While claims are inevitable, thankfully there are many risk mitigation steps and insurance policies human services organizations can put in place to contain damages and facilitate a quick claims remediation process. As experts in human services risk management and insurance, we understand the biggest risks facing these organizations today and summarized the actionable steps these organizations can take to reduce their exposure:

1. Sexual Misconduct and Abuse

Sadly, sexual abuse and misconduct is a vast problem in the human services industry. The causes of patient neglect can be related to many different factors, including workload, insufficient policies and procedures and inexperienced staff. With the assistance of the right insurance broker, these issues can be addressed and prevented.

Background checks are a critical first line of defense, especially for all workers who will be handling patients of any age. Continuous education and trainings, provided not only upon hiring but on an ongoing and frequent basis, are another preventative measure that can improve the employees’ skills and knowledge on the job.

Developing a culture of reporting and vigilance will allow employees and participants to feel safe and secure and can ultimately lead to more productivity and better experiences. If an incident does happen, implementing a robust investigation and claim reporting process can protect the interests of the patient and organization by detecting misconduct early.

2. Auto Liability Risks

Human services organizations often rely on transportation to provide essential services such as home visits, medical appointments and community outreach. However, operating vehicles introduces inherent risks, including accidents, property damage and bodily injury that can not only cause injuries, but damage reputations and lead to financial consequences. From a safety perspective, incidents can directly impact the well-being of participants, potentially hindering the organization’s ability to fulfill its mission.

Organizations should implement comprehensive training programs for their drivers, emphasizing defensive driving techniques, safety protocols and adherence to traffic laws. Clear policies and procedures should be established to ensure responsible vehicle use and maintenance. Routine motor vehicle records checks on all eligible drivers, even for those who are driving their own vehicles for work purposes, are important to ensure adherence with the organization’s driving qualifications and guidelines. Routine inspections and regular maintenance of vehicles are essential to identify potential safety hazards and address them promptly.

Finally, organizations must carry appropriate insurance coverage, including comprehensive auto liability policies. Understanding policy terms, coverage limits and exclusions is crucial to ensure adequate protection in the event of an incident.

3. Duty of Care Breaches

In human services, organizations have an ethical and legal responsibility to uphold their duty of care to protect and support the well-being of individuals. When a breach of duty occurs, it can have profound consequences. While they vary depending on the nature and degree of the breach, consequences can consist of legal repercussions, professional sanctions and damage to the well-being of the individuals involved.

Thankfully, there are prevention tools and strategies human services organizations can utilize to reduce the likelihood of breaching duty of care and minimize potential risk to the organization.

It’s important to provide ongoing training to human service staff on topics such as ethics, legal obligations and recognizing signs of abuse or neglect. Organizations should also educate individuals under their care about their rights and available support services.

Human services organizations should create and maintain safe physical environments, including homes, facilities or community spaces where services are provided and ensure that safety measures such as fire exits and emergency protocols are in place and in good working order.

When an incident does occur, it is critical to ensure patient safety and well-being first. This may involve calling emergency services or providing first aid, if necessary. Once the immediate situation is under control, leaders should ensure the incident is thoroughly documented. Depending on the severity and nature of the incident, proper notifications could include supervisors, colleagues, family members, legal authorities and regulatory bodies.

Reports should be factual, objective and should not contain any subjective opinions or judgments. After the incident is reported to the appropriate stakeholders and the insurance carrier, if appropriate, the organization should consider investigating the root causes to prevent similar incidents in the future.

4. Elopement Risks

In the context of human services, elopement refers to the act of a vulnerable individual, typically someone with a cognitive impairment or developmental disability, leaving a supervised or safe environment without proper authorization or supervision. Elopement can pose significant risks to the individual’s safety, as they may wander into unsafe areas, become lost or encounter dangerous situations. It can be very distressing for their family members and caregivers.

Updating surveillance services, security systems, tracking devices or training programs for staff is a great first step to prevent elopement in addition to leveraging networks to implement a robust elopement prevention strategy. Organizing training and workshops for staff and caregivers on elopement prevention and response techniques is another crucial step. This could include teaching staff proper protocol instructions and communication, especially involving patient chain of custody.

Additionally, all human services organizations should conduct risk assessments to identify individuals who may be at a higher risk of elopement. Finally, organizations should develop and implement policies and procedures aimed at addressing any potential issues, such as background checks on employees and vendors, visitor access and emergency response plans.

The Power of Partnership

In this environment, partnering with a broker can be an invaluable resource for providing guidance, consultation and taking proactive measures to minimize risk. At Conner Strong & Buckelew, we provide our clients with a true partnership, including safety, claims and advocacy experts. We work alongside human services organizations to provide services that fit your individual needs of managing and preventing claims and implementing safety and risk control programs. While claims are unfortunately inevitable, taking the right prevention and risk mitigation steps today can save your organization countless hours and financial losses down the line.

In June 2023, we notified our clients about upcoming changes to the Pennsylvania experience modification rating (EMR) plan. The Pennsylvania Compensation Rating Bureau has approved the new rating plan and published the updated Experience Rating Worksheet. It went live on January 25, 2024, and is available for all new ratings effective April 1, 2024, or after.

What Is Changing?

• Split Point (cap on large losses) is moving from a single value of $42,500 for all Expected Loss amounts to a variable value ranging from $10,000 – $300,000
• The swing limit (amount the mod can change in a given year) is increasing from +/-25% with secondary capping to +/-40% with no secondary capping (there is a 2-year transition period to help ensure EMR stability)
• Eligibility for EMR is decreasing from $10,000 to $5,000
• The Expected Loss Range is decreasing from $10,706 – $5,806,852 to $5,000 – $4,338,871
• The Credibility values are increasing from 0.283 – 0.938 to 0.690 – 0.974

When Will It Occur?
The new rating plan will be applied to all Pennsylvania experience modifications that have an effective date of April 1, 2024 or after.

Who Will It Effect?
Potentially any employer with Pennsylvania workers’ compensation exposure.

How Will It Impact Employers?
The impact of the new rating plan will vary for each employer. Generally, Conner Strong & Buckelew anticipates potentially critical impact to the following employers/insurance programs:

• Contractors
• Guaranteed Cost Programs
• EMR-Sensitive Programs
• Any employer that utilizes the PA EMR for other business purposes (bidding, loan financing, etc.)

What To Do Now?

1. Understand that the new plan may impact a PA EMR despite no change in the frequency/severity of losses.
2. Contact your Conner Strong & Buckelew Account Executive for a customized impact analysis and recommendations.
3. Contact your Conner Strong & Buckelew Claims Consultant for innovative strategies to minimize the most significant losses under the new rating plan.

By Geri Jaffee and Eric C. Voight

As winter approaches in the United States, many regions remain at an elevated risk for cold weather hazards, including snow, sleet, freezing rain, ice and cold waves. For commercial property managers, incidents involving snow and ice can turn into costly lawsuits if they are not addressed promptly. Icy walkways and snow-covered parking lots can lead to slips and falls or car accidents involving tenants or visitors to the property. Property owners can limit damage and their exposure to liability during the winter season by understanding the snow removal rules that apply to their properties.

Snow Removal Laws Differ from State to State

Property owners are responsible for keeping their properties safe for tenants, visitors and other third parties. While not every state has explicit snow removal laws, snow and ice can put people’s safety in danger, making it in the property owner’s best interest to clean and remove winter hazards as soon as possible once the storm subsides.

To reduce exposure to liability claims, property owners must be aware of the snow removal laws in their state and all the way down to the local municipal level to ensure they are adhering to all codes, statutes and rules within the required timeframes. For example, Illinois has no statewide requirements, but the city of Chicago requires that snow be removed by 10 p.m. if the storm occurred between 7 a.m. and 7 p.m. Knowing the exact requirements will better help property owners prevent incidents and establish a solid defense should a claim occur.

Understanding the “Snow in Progress” Defense

Incidents can still happen and third-party claims can still occur even if property owners take all the necessary precautions and remove snow and ice within a reasonable timeframe. In defending claims that arise from slips and falls or auto collisions due to snow and ice, property managers need to understand the duty of care and when the duty arises.

Many states, including New York, New Jersey and Pennsylvania, have “snow in progress” doctrines, which set forth that a property owner does not have a duty to clear snow or ice during a snowstorm, but rather within a reasonable timeframe after the storm ends. These doctrines come into play when incidents occur before the storm ends or before it is reasonably safe for the property owner to begin snow and ice removal. While only nine states and the District of Columbia have “snow in progress” doctrines, these laws set the precedent that property owners have a defense for incidents that occur during winter storms.

Snow Removal Considerations

When it comes to risk management and claim prevention, property owners should prepare a snow and ice removal plan outlining the following:

• Who will manage snow and ice removal (property employees or outside contractors)
• Steps for thorough documentation of actions taken to control safety hazards related to winter weather
• Pre-storm preparation including anti-icing strategies like using salt or brine on sidewalks and parking lots
• What equipment needs to be kept onsite and who is responsible for making sure it is working and ready
• A process for notifying and communicating with property employees, contractors and tenants about snow removal procedures and timing

Any preparation and prevention strategies that property owners can perform will ultimately help in the long run when claims arise. Property owners must document every precaution taken and when, as well as all removal and clean-up work as it happens, to ensure accurate timestamps. Having a plan and understanding snow removal requirements will set property owners up for the best possible outcome when winter storms arrive.

By Joe DiBella, Executive Partner, National Employee Benefits Practice Leader

As healthcare costs continue to rise, claims audits remain an essential tool in employers’ toolbox.

Health plans are bracing for a significant uptick in costs in 2024. Employers project a median health care cost increase of 7 percent next year, according to the International Foundation of Employee Benefit Plans (IFEBP).

Several realities of today’s healthcare landscape are driving this increase. Employers identified chronic conditions, catastrophic claims, and rising drug costs as the leading contributors. At the same time, evolving models of care and new technologies are driving dramatic shifts in treatment and administration at providers of all kinds.

Claims audits can help employer health plans stay one step ahead of shifting practices while ensuring costs and pricing remain accurate and efficient. In fact, any employer that funds its plan with employee payroll contributions has a fiduciary responsibility to make certain the expenses and spending associated with the plan are correct.

Claim audits are a crucial tool in satisfying that fiduciary responsibility – and keeping costs in check.

Here’s a closer look at how claims audits can be utilized given the realities of today’s healthcare landscape.

New Technologies and Process Updates Require Regular Audits
Third party administrators (TPAs) and health plans regularly update their systems and technologies, and today those updates are faster and more far-reaching than ever. With each update and recode of benefits and procedures, it’s incumbent on group health plans and sponsors to ensure their program has been recoded correctly. Checking for accuracy on plan details including copays, out-of-pocket maximums, and more is essential.

For many TPAs and carriers, technology updates and programming changes are happening all the time. Determining an audit schedule that delivers a meaningful return by ensuring accuracy is important. For particularly far-reaching updates, a preimplantation audit that allows for a review of a new system or protocols before it goes live can help identify and correct issues before they impact claims and costs.

Employers and plans should look to maximize the impact of audits by ensuring that any audit findings resulting in inaccurate claims or spending waste prompt investigations into similar claims.

Claims with similar details or those occurring during the same time period may also have been processed incorrectly.

Catastrophic Claims Demand Special Attention
Nearly one in five employers identified catastrophic claims as the primary reason for the cost increases in 2024. It’s not uncommon for employers to see multiple $500,000 or $1 million claims among their population.

With the advent of super large claims comes a need to evaluate them and make sure the costs are delivering the most effective and efficient care possible.

Audits of these claims can benefit from a closer evaluation from both an administrative and clinical perspective. An administrative review can help with factors like ensuring specialty care and treatments are accurately coded and deductibles are being handled correctly. On the clinical side, the audit can ensure the efficacy of treatment plans and identify improvement opportunities that benefit patient, provider, and plan sponsor. For example, a patient diagnosed with cancer may trigger a catastrophic claim audit. This patient may be receiving chemotherapy at a hospital or outpatient setting. An audit may identify that transitioning that treatment to the patient’s home with home health assistance could reduce costs while also allowing the patient to receive care in the comfort of their home without the added travel time and cost.

In these instances, it’s important to call out that audit findings and actions should not have a detrimental impact on the patient’s care experience. Employers should prioritize collaboration with carriers and providers to ensure updates that are mutually beneficial for all parties.

The CSB Advantage
At Conner Strong & Buckelew, our approach to claims audits delivers deeper findings and more actionable insights to help control costs and ensure effective and efficient care. ClaimCheck, our proprietary audit tool for large and catastrophic claims, delivers peace of mind for self-funded employers. This unique employee benefits claims screening process ensures large and catastrophic claims are being properly managed by the complex healthcare system, adjudicated pursuant to the plan of benefits, and paid properly.

With ClaimCheck, a claim will be flagged for review by a Conner Strong & Buckelew clinical nurse once it reaches either $100,000 or 50 percent of the client’s stop loss deductible, whichever comes first. The claim is reviewed for eligibility, care management and ongoing monitoring to ensure all needed care management oversight is in place. Cases are reviewed and remain open until the treatment is concluded or the client receives applicable stop loss payment. Even after payments are made, claims are monitored for ongoing appropriateness. Any claim more than $200,000 automatically goes through a case audit of the carrier’s adjudication accuracy of the claim to ensure all claims were paid properly.

With traditional audits, Conner Strong & Buckelew delivers greater value through our scale and our commitment to exceptional service and superior outcomes. We utilize robust samples in our auditing to ensure an accurate representation of a plan and its claims. If we find claims that were paid incorrectly, we require that the TPA or carrier pull claims with similar characteristics to ensure accuracy. From there, we conduct an impact analysis to quantify other challenges or errors that could result from this audit finding. And while other partners end the relationship after delivering the audit results, our team works with clients until the end, when claims are accurately paid and systems, policies, and procedures have been corrected.

At the same time, our scale and expertise offer an edge in developing audit samples and identifying potential issues. We utilize our vast experience of conducting dozens of audits a year to apply lessons learned to our work – all without compromising proprietary plan details or patient privacy.

The result is a more effective and impactful audit that delivers actionable results for employers and plans. From systems updates to catastrophic claims, Conner Strong & Buckelew serves as a true partner in health plan audits that can drive better health outcomes and protect a company’s bottom line.

By Andrew Wagner, Partner, Managing Account Executive and National Life Science & Technology Practice Leader at Conner Strong & Buckelew

If NAC, NMN or others are on your shelves, is the product insured?

Manufacturers of n-acetyl cysteine (NAC) and other nutraceutical products may be at risk of coverage gaps because of one often overlooked U.S. Food and Drug Administration (FDA) rule – the drug preclusion provision.

When the COVID-19 pandemic struck, demand for NAC skyrocketed as many touted the product’s ability to treat cough and other lung complications. As the product, which was being sold over the counter, flew off the shelves, a pharmaceutical company filed a new drug application for a product using NAC as active pharmaceutical ingredient (API) in a clinical trial.

In doing so, this caused the FDA to trigger a lesser-known clause of the Dietary Supplement Health and Education Act (DSHEA) referred to by many as the “drug preclusion provision.” This provision states that a dietary supplement may not include an ingredient or article that has already been approved as a new drug, or an article authorized for investigation as a new drug for which substantial clinical investigations have been instituted and made public.

With an investigation for NAC now underway, the FDA placed NAC on its exclusion list and issued a cease and desist to all nutraceutical companies creating and selling it. This led to two citizen petitions from the Council for Responsible Nutrition (CRN) and the Natural Products Association (NPA) asking the agency to take NAC off the exclusion list considering its long history of safe usage. After several months of consideration, the FDA ruled that while it will not take NAC off the exclusion list, it will exercise enforcement discretion with respect to the sale and distribution of certain NAC-containing products that are labeled as dietary supplements.

What Does This Mean for NAC Producers?
While NAC manufacturers and distributors are currently free from FDA enforcement to produce and sell the product, this ruling may have significant implications for their product liability insurance coverage. Many product liability policies in the life sciences industry contain language that excludes coverage for products containing articles and ingredients listed on the FDA’s exclusion list. This means that producers & retailers of products containing NAC today may not have product liability coverage in place.

Product liability policies usually include their own list of products that are excluded from coverage. Adding to the confusion is the fact that NAC is typically not on these lists, but coverage still may be excluded considering NAC’s designation as an “excluded article” by the FDA. This coverage caveat is not specific to NAC and applies to many other commonly used nutraceuticals, like nicotinamide mononucleotide (NMN). Producers of products containing NMN and other articles on the exclusion list may also be lacking critical insurance coverage.

What Life Sciences Companies Can Do Now
In light of these conditions, all nutraceutical companies producing or distributing over-the counter dietary supplements should consider taking a few steps today to ensure they have proper coverage in place. As life sciences insurance experts with decades of experience reviewing policy language and negotiating terms for our clients, here are three things we believe life sciences companies need to do now:

1. Closely review current insurance policy language: All dietary supplement producers and distributors should start by taking a close look at their existing product liability insurance policies. It’s important to look for any language that eliminates coverage for products containing articles listed on the FDA’s exclusion list. This language can be complex and difficult to understand. But an experienced broker will be able to read through your specific policy and identify any gaps that need to be addressed.

2. If uncovered, seek out a solution: Nutraceutical companies discovering they are uninsured will need to get creative when seeking a solution. They will most likely need to work with a smaller, specialty insurer, perhaps an offshore provider who operates outside of the confines of the U.S. regulatory and legal system. Nutraceutical providers should consider if their broker has the expertise necessary to evaluate coverage properly and make certain that they consider approaching these underwriters with the assistance of a knowledgeable broker that has the background, relationships, and negotiating experience to secure the best coverage and terms.

3. Assess contracts and legal liability: When reviewing insurance policy language, it’s also a good time to assess contracts with manufacturers, distributors, and other business partners in the event of a product liability lawsuit. Depending on how these contracts are written, companies can be named in a lawsuit for their specific role in bringing a product to market.

The CSB Advantage
At Conner Strong & Buckelew, we have decades of experience helping life sciences companies navigate the FDA regulatory landscape. We’re experts in complex insurance language and possess the industry connections to ensure our clients are getting the coverage they need. As regulations continue to shift and the FDA puts out new guidance, we can help interpret the implications for your business and offer counsel on how to best protect yourself. We will serve as your advocate as you seek to secure maximum coverage at the most favorable terms, a task that is even more important in today’s persistent hard marketplace.

The nutraceuticals market has been on the rise for the past few years with companies contracting with social media influencers to endorse the use of products that promise various health benefits, like weight loss, anti-aging or hair growth, on Instagram, Facebook and TikTok.  But first, what are nutraceuticals?  Ranging from teas to protein powders to gummies and beyond, nutraceuticals are commonly defined as substances or products that are derived from food and sold in either medicinal or foodstuff forms and provide medical or health benefits. 

In the United States alone, the nutraceuticals market is expected to reach $599.71 billion by 2030, according to Grand View Research. Social media has been one of the primary catalysts for growth in this sector with many companies capitalizing on social media influencers to provide authentic marketing for their products. However, the lack of oversight and control often associated with influencer content can pose serious risks for companies looking to promote nutraceuticals via social media. 

As the market continues to grow, federal agencies including the U.S. Food and Drug Administration (FDA) and the Federal Trade Commission (FTC) have become more engaged in establishing regulations surrounding the marketing of the health benefits of nutraceuticals.  

This subject was further explored by Michele Fields, vice president and senior claim consultant at Conner Strong & Buckelew, in collaboration with Angela L. Angotti, partner at Bowman and Brooke, in an article published in the Food and Drug Law Journal. The piece dives into:  

• Specific risks associated with social media and influencer marketing for nutraceuticals 
• Current guidance from the FDA and FTC regarding nutraceuticals 
• Recent examples of enforcement actions from the FDA and FTC toward nutraceutical companies 
• Examples of state-level consumer protection claims that nutraceutical companies may be exposed to 

Fields and Angotti outline the critical need for proper mitigation and compliance strategies when it comes to marketing nutraceuticals on social media and how companies can ensure they are protected in the current regulatory environment. 

Click here to read the full article in Food and Drug Law Journal.

Shared with the permission of FDLI.

During winter months, it’s important for commercial property owners to prioritize snow and ice removal to ensure the safety of their premises. Neglecting this responsibility can pose serious risks to workers, customers and other third parties. To help prepare for snowfall, here are three practical steps to minimize these risks:

1. Create a Snow and Ice Removal Plan
Implementing an effective removal plan is essential in mitigating risks and liability exposures. A comprehensive strategy helps businesses stay consistent with how snow and ice removal is undertaken and provides documented instructions that can be communicated to workers and other involved parties.

Our Snow and Ice Removal Guide provides insights on creating a comprehensive plan, in addition to pre-storm preparation techniques, ice removal strategies and more.

2. Understand Your Legal Obligations
While property owners may take all necessary precautions, incidents and resulting claims can still occur, both third party and workers compensation. In defending claims that arise out of slip and falls on snow and ice, it is important to understand the duty of care and when the duty arises. In addition to having the responsibility as a commercial property owner, certain states have rules and laws as to when snow and ice must be removed from the property.

Many individual municipalities have their own codes, statutes and rules related to snow removal. However, several states recognize the duty to remove snow and ice with Snow in Progress doctrines. This doctrine states that a property owner does not have a duty to clear snow or ice during a snowstorm, but rather within a reasonable time after the storm ends. This chart outlines the states that follow a Snow in Progress doctrine.

3. Educate Employees on Winter Weather Safety
Train your employees on proper snow removal techniques and associated risks, especially if the task is completed in-house. Check out our resources on snow shoveling safety and tips to prevent winter weather-related slip and fall injuries to help facilitate these discussions.

The Conner Strong & Buckelew team is here to help ensure your company is prepared for the upcoming snow season. Should you have any questions, please contact your Conner Strong & Buckelew account representative.

In today’s digital world, the threat of compromised credentials and identity theft is a pressing concern for individuals and organizations. Unauthorized access to personal information, including usernames, passwords, and sensitive data, can lead to significant financial loss, reputation damage, and emotional distress. Understanding these cyber threats and taking proactive measures to mitigate risks is crucial.

Understanding the Threat
Compromised Credentials: Cybercriminals often acquire login details through phishing kits or data breaches, granting unauthorized access to sensitive accounts. These stolen credentials enable attackers to exploit multiple accounts linked to the same information.

Stolen Identity: Identity theft involves the unauthorized use of personal information for fraudulent activities, often leading to financial harm and reputational damage. Organizations must remain vigilant, as compromised customer data not only poses legal liabilities but also undermines trust.

Tips for Risk Mitigation

1. Vigilance and Prompt Action: Act swiftly. Immediately change passwords and report the incident to relevant authorities, including your IT department, bank, and law enforcement.

2. Enhanced Security Measures: Emphasize the use of unique, complex passwords and consider implementing a password manager to handle multiple accounts securely. Avoid reusing passwords across various platforms to prevent unauthorized access.

3. Multi-Factor Authentication (MFA): Enable MFA whenever available to add an additional layer of security. This will significantly minimize the risk of unauthorized access, even with compromised credentials.

4. Monitor Your Accounts and Credit Reports: Routinely monitor financial accounts for any unauthorized transactions and review credit reports for any irregularities or unauthorized activities.

5. Check for Exposed Credentials: Utilize services like “Have I Been Pwned” to see if your email or credentials have been part of a data breach. It’s recommended for organizations to use threat intelligence and dark web monitoring services.

6. Stay Informed: Stay up to date on the latest cybersecurity threats, phishing tactics, and data breaches to stay one step ahead of potential risks.

7. Employee Training: Educate employees on the best practices for maintaining the security of their personal and work-related accounts, emphasizing the importance of strong, unique passwords and cautious online behavior.

These proactive measures help organizations foster a culture of security and reduce the risk of compromised credentials and identity theft. Proactive measures are crucial in safeguarding sensitive information and preserving the integrity of both personal and corporate data.

Business email compromise (BEC) is a method cybercriminals use to generate revenue. It’s a social engineering attack that relies on psychological manipulation and deceptive tactics to defraud victims. However, with awareness, training, and the right preventative measures in place, organizations can significantly reduce their risk of falling victim to these costly swindles. Maintaining a skeptical mindset, verifying requests, and prioritizing cybersecurity in business operations are crucial.

Understanding BEC

Cybercriminals use BEC to ensure that fake email messages are trusted. Once access is gained, criminals study the email account owner’s behavior and impersonate their communications. The end goal is typically unauthorized access to another business email account or defrauding the company, its employees, clients, or partners for monetary gains.

BEC usually begins with cybercriminals compromising legitimate email accounts. By using a trusted email, cybercriminals can bypass technical tricks such as spoofing or fake addresses and dodge automated security controls. These emails often lack familiar signs of fraud, making them appear legitimate to employees.

The cybercriminals closely analyze communication patterns of the person and mimic legitimate communication styles to exploit trusted relationships between service providers, customers, and other business associates.

Types of BEC Attacks

• Credential theft: Employees are tricked into providing credentials to a fake website. Fake phishing sites usually resemble tools used at work, such as DocuSign, Microsoft, or Adobe login prompts. This includes multifactor prompts.
• CEO fraud: Cybercriminals impersonate senior executives, often the CEO, to request financial transfers.
• Fake invoice scheme: Suppliers’ emails are compromised and used to send fake invoices.
• Attorney impersonation: Cybercriminals pretend to be lawyers or legal firms to obtain confidential data.
• Data theft: HR personnel are targeted to extract employee’s personal data.

Factors Contributing to the Success of BEC Attacks

• Social engineering: Cybercriminals use skillful manipulation of human behavior to appear genuine.
• Trust relationships and processes: Unlike other phishing attacks, BEC scams are tailored, using specific knowledge about individuals, businesses, and their processes.
• Sense of urgency and duty: The trust employees have in colleagues to provide good services is manipulated.
• Lack of training: Employees may not be aware of the threat and fail to recognize the signs, especially when the email seems to be from a “real colleague.”

Protecting Your Business from BEC

1. Be skeptical and confirm communication requests on all platforms! Verify the legitimacy of suspicious emails or other communications, through direct contact by using a known number.
2. Multi-factor authentication (MFA): Implement multiple verification methods before granting access to accounts.
3. Advanced email security: Employ email filtering solutions that detect abnormal behavior and quarantine phishing and spoofing emails.
4. Regularly monitor accounts: Monitor business email accounts for any irregular or suspicious activity using behavioral email monitoring tools.
5. Verification procedures:  Establish a multi-person approval process for financial transactions or changes to HR information above a certain dollar threshold.
6. Employee training: Regularly educate employees about the dangers of BEC attacks, phishing, and psychological manipulation through social engineering.
7. Be cautious with public and personal information: Minimize the availability of your company’s hierarchy and roles online to make it difficult for hackers to craft believable scams. Avoid posting emails, phone numbers and personal details publicly on social media.

Vulnerabilities are inherent in the cyber world, posing significant risks to organizations. These vulnerabilities, often arising as software bugs, can serve as entry points for cybercriminals, granting them unauthorized access to your systems. To effectively address these vulnerabilities, timely and efficient patch management is key.

Understanding Patches
Patches are operating systems and software updates that are typically placed into three categories: security, bug fixes, and feature updates. Neglecting to patch vulnerabilities exposes your organization.

Testing & System Backup
Before deploying patches, testing is crucial to prevent the unintended introduction of other security vulnerabilities. Additionally, it’s advisable to create a full system backup in case unforeseen issues arise during the patch deployment process.

Prioritizing Patch Management
In cases where organizations rely on multiple software or firmware programs, prioritizing patch management is essential, considering potential system downtime during implementation. Sometimes, immediate implementation of security patches isn’t possible. In such cases, protecting the unpatched software from internet exposure or restricting user access is recommended.

Establishing a Patch Deployment Schedule
Designating a weekly “Patch Day” for planned system downtime is strongly suggested. This promotes user readiness and enables organizations to establish a personnel schedule for managing updates. Delaying the deployment of major security patches due to employee overtime expenses or potential unplanned system outages is not recommended. Time is of the essence when it comes to implementing security patches.

Staying Informed
Staying informed by regularly monitoring industry news and actively participating in online forums to stay up-to-date on the latest threats and vulnerabilities will serve you well.

Conner Strong and Buckelew’s Cyber Portal has additional resources on patch management. Contact your account representative to learn more about our cyber services or to help setup your cyber portal account.