Insurance

Article Dean Dorton

What does a compliant, secure business look like? The reality is that a compliant, secure business is going to look different based on industry, size of business, type of regulatory environment the organization operates in, and the organization’s risk appetite.

Each organization has the ability to lay the groundwork for future compliance and security. Simple steps facilitate the building of the desired culture. These include:

  • Development of a defined organizational chart.
  • Written policies and procedures for key processes and controls to facilitate consistency and continuity.
  • Routinely educating staff and leadership on the current regulatory environment for your industry.
  • Identifying the key risks to the organization’s continuity and business model.
  • Defining the organization’s risk appetite by specifying what level of risk is acceptable and what level of risk is too high.
  • Defining the information technology environment in which the organization will operate.
  • Identifying disrupters which may materially impact the operational effectiveness of the organization.

Each of the above elements become part of the whole picture of the organization, and are the foundation upon which a compliant organization should be built.

One area which many organizations fail to consider when establishing the above building blocks are the cyber risks to the organization. As technology becomes more prevalent across all industries, and networked devices become the norm, there is an increased risk of cyber incidents.

As noted in the 2018 IBM/Ponemon Cost of Data Breach report, the average cost of a data breach in the U.S. is $7.91 million, but can vary widely depending on the industry in which you operate. As an example, the cost of a single breached healthcare record is at its highest point ever – $408 per record. The cost includes items such as legal fees, incident response, notification costs, loss of reputation, loss of business, remediation costs, etc.

The reputational harm; harm to your clients or customers and other distractions caused by a cybersecurity incident, can devastate the operations of any organization. Cybersecurity is about maintaining the confidentiality of sensitive information, whether that be healthcare data, manufacturing trade secrets, student, or donor data.  Cybersecurity is not just about confidentiality, it is also about maintaining the integrity of your information and maintaining system operations.

Looking to learn more?

Join us for our annual Board Oversight and Risk Management seminar on Wednesday, October 3, 2018 at the Olmsted in Louisville, Kentucky. During the seminar, you will gain a firm grasp of common financial and operational risks that companies and nonprofit organizations are confronted with daily. You’ll learn what you need to do, beyond insuring against the risks, to properly identify and navigate the most serious risks threatening you and your organization. This seminar is ideal for executive nonprofit and private company board members, corporate executives, senior compliance and risk officers, and in-house counsel.

Register Today

For more information on how to build a compliant business, while integrating cyber security and fraud considerations, contact Shawn Stevison or Gui Cozzi at 502-589-6050.

As originally featured in Louisville’s Business First

Article Dean Dorton

“No one would be interested in my data.” Nothing could be further from the truth! Announced in late March, the Department of Justice filed criminal charges and sanctions against nine Iranian hackers accused of compromising hundreds of universities, private companies, and government agencies.

It is estimated that some 320 universities, in the U.S. and abroad, have been compromised. Government agencies are also believed to have been breached. Also targeted were private sector law firms and consulting companies. The accused were focused on acquiring and selling science and engineering research information.

This incident brings further focus and attention on the growing threats and required attention for cybersecurity at all organizations. We find that there is no private, public, or nonprofit entity immune to the ever-growing and more sophisticated threats posed by cybercriminals. The amount of electronic information and communications used today only continues to grow. Our business and organizations rely on data and systems to function in nearly all aspects.

If your organization is not yet taking cybersecurity seriously, now is the time. More areas of compliance require organizations to formalize their attention on cyber risk. Financial institutions and higher education organizations have Gramm Leach Bliley Act (GLBA), healthcare has HIPAA, and companies with clients or constituents in the European Union will soon have GDPR, just to name a few.

Here are a few key areas that you should focus on:

  • Annual cyber risk assessment
  • User awareness training
  • Processes for monitoring and detecting incidents
  • Formal incident response plan
  • Adequate cyber insurance

If your organization needs help with any of these areas, Dean Dorton has a team of qualified consultants ready to help. Contact Jason Miller, Director of Business & Technology Consulting, at 859.425.7626 or jmiller@ddaftech.com. Don’t wait until it is too late.

Article Dean Dorton

By: Jason Miller

“Cybersecurity” has become a buzzword over the last couple of years, especially with more cybersecurity attacks against large companies or corporations that are recognizable by name, but have you really taken the time to sit down and assess your organization’s IT security position?

Many organizations quickly punt the topic of cybersecurity to the IT department. While IT plays a huge role in cybersecurity, it is the responsibility of those charged with organization governance to ensure compliance. Board members and senior leadership should be asking the questions and confirming that the organization is devoting the proper resources and attention to cybersecurity.

“One and done” doesn’t work here

It is critical to understand that cybersecurity is not a one-time project. It is a continual evolution and initiative.

Leadership needs to also recognize there can be substantial costs associated with cybersecurity activities and for some organizations such as colleges and universities, they are not optional. Across the public and private sectors, it is imperative that organizations continue to enhance cybersecurity in order to meet evolving threats to controlled unclassified information and challenges to the security of such organizations.

With the ongoing focus on your organization’s bottom line, it might be tempting to defer projects related to cybersecurity to reduce budgets. However, doing so could put your organization in a position where you are not prepared, or even worse, in noncompliance with certain regulations specific to your industry. Cutting corners on cybersecurity compliance could wind up costing your business more in the end.

The “I’m covered already” approach

When evaluating your cybersecurity preparedness, there are several factors to consider. Let’s take a step back – right now, your priority is your business. You’re buying new technology, investing in new infrastructure and most likely trying to adapt to changing business models like cloud. It’s all good work but it takes time and effort.

Hackers desperately want access to your customer data, employee data, or intellectual property because it’s worth a lot. A single theft could cost your company severe financial damage. And sometimes, in the case of ransomware, all they have to do is lock it down and force you to pay to get it back as you’ve heard about in some of the latest attacks.

Why do you hear terms like “dynamic threat landscape” these days? Because you aren’t facing a group of hacktivists in a basement anymore – you are now facing professionals with a lot to gain.

Your business and the threat landscape around you are ever changing.  It is imperative that your organization conducts an annual cyber risk assessment. This allows the entire organization to consider current and future risks and put forth a plan to mitigate the identified risks.

Some businesses will run out and acquire every new solution they hear about for protecting their organization against cyber risks. While having a multi-layered approach to cybersecurity is important, it is also equally important to have an organized approach and to use tools that are designed to work together.  If your solution is designed properly, you could end up with what we call the security effectiveness gap. As you add more solutions that don’t work together, the complexity exponentially increases. So, every time you add another solution or another vendor, you add another gap – another vulnerability.

A robust cybersecurity solution will:

  1. Stop threats at the edge
  2. Protect users where they work (especially when team members are working remotely or on a personal device)
  3. Find and contain problems fast
  4. Control who gets on your network and from where
  5. Simplify network segmentation
  6. Provide compressive monitoring and detection

…But I have cyber security insurance

That insurance probably doesn’t cover anywhere near what you think it does. Should you invest in cybersecurity insurance? That’s a topic for a different day.

Your business, no matter what size or type, needs to be prepared to handle a cyberattack at a moment’s notice. It is important to work with credentialed professionals with cybersecurity expertise and experience to help you maximize your investment and make sure you have all the appropriate measures in place to keep hackers at bay.

Learn more about Dean Dorton’s cyber security services and solutions for your organization.

As originally featured in Louisville’s Business First

Article Dean Dorton

Most assets of which we are the sole owner pass at death according to the terms of our will and beneficiary designations of retirement plans and life insurance.

In a real example from a dispute that went all the way to the U.S. Supreme Court, a daughter had an “unpleasant” outcome when her father passed way. Her father’s ex-wife was awarded $400,000 from his retirement plan even though she had waived any interest in the plan in the divorce and property settlement agreement.

What happened? The father failed to update his beneficiary designation form to name his daughter as beneficiary. When he died seven years after the divorce, his former wife was still named as the beneficiary upon his death. The employer’s plan document stated that beneficiaries could only be changed by submitting the required form. The Court held that the administrator of an ERISA-covered benefit plan need only look to the governing plan documents to determine the proper plan beneficiary.

This case reminds us of some very important points:

  • Do not rely on documents such as a divorce decree, property settlement agreement, or a will to name beneficiaries of life insurance policies, retirement plans, 529 college savings plans, and annuities. Determine the currently named beneficiary for all such assets and, if you want the designation to be changed, obtain the proper forms to change your beneficiary designation and complete and properly submit the forms. Keep copies of the completed forms with your will and other testamentary documents.
  • Divorce is not the only situation where failing to update your beneficiaries can cause problems for intended heirs. You may want certain benefits to go to specific children. Their financial or medical situations may have changed. Remind yourself to do an annual “check-up” to review beneficiaries. This should include primary and contingent beneficiaries. It is important to include a secondary beneficiary in case the primary beneficiary predeceases you.
Please contact Missy DeArk at mdeark@deandortonstg.wpenginepowered.com if you have questions about this important topic.

Article Dean Dorton

Hurricane Matthew has been an unfortunate reminder of natural disasters reaching close to home. During and immediately after a natural disaster, the focus is always on the safety of communities, friends, family, and colleagues. The clean-up and recovery can take months with the insurance industry heavily involved in the process.

According to CoreLogic, the damage from Hurricane Matthew is estimated to result in over 100,000 insurance claims and damages up to $6 billion in the U.S. The replacement and repair of damaged physical property will cover the bulk of insurance claims. Business interruption claims will result from the severe impact to business operations ― financial damage which cannot be easily calculated or shown on the news and social media.

Employee salaries and rent obligations do not stop because of an extraordinary event such as a natural disaster, fire, or flood. Business interruption insurance coverage protects the cash flow impact to the business during the incident and subsequent recovery. Business interruption insurance is designed to return the business to the same financial standing as if the extraordinary event had never happened.

Every insurance policy is different and must be read closely to understand the coverage. In general, a business interruption claim will cover the lost “business income”.

Business income is comprised of:

  1. Net profit before income taxes and
  2. Continuing operating expenses (e.g. employee salaries).

In addition, policies will often cover “extra expenses” incurred (e.g. temporary office rent).

Determining net profit before income taxes requires forecasting business operating results assuming the extraordinary event never occurred and comparing to the actual results during the period of interruption. The subjectivity involved in forecasting and understanding the complete financial impact to the business often results in a complex analysis. Significant judgment and understanding of the business is often needed to determine a business interruption claim.

We work with businesses and insurance companies to prepare and review business interruption claims to help ensure the business is made “whole”. If you encounter an unfortunate event, Dean Dorton’s forensic accounting and valuation professionals are available to assist with the business interruption claim.

Contact your Dean Dorton advisor or David Angelucci at dangelucci@deandortonstg.wpenginepowered.com to learn more.

Article Dean Dorton

Most companies want to provide their employees with the best medical benefit coverage; however, healthcare costs and the cost of medical insurance continue to increase. One way to help reduce your costs is a dependent eligibility verification audit.

It is estimated that 4% to 8% of dependents nationwide are ineligible to participate in their company’s medical plan. It is also estimated that a company’s annual average cost of medical coverage for a dependent is approximately $3,300. We have seen these national estimates hold true in the clients that we have worked with in the past year.

So how do you identify the ineligible dependents?

The best way is to conduct a dependent eligibility verification audit. Your company can perform this audit, or a third party can be brought in to assist you. Dean Dorton would be happy to guide you through the process and perform the audit for you. Dependent eligibility verification audits can be very sensitive. They are very time consuming if it is not done properly, and dependents could be wrongly removed from the plan, upsetting employees.

The goals of a dependent eligibility verification audit are to achieve a high response rate from your employees and to make sure that only those who are ineligible for coverage are removed – not to remove the maximum number of dependents in the shortest period of time. We highly recommend partnering with Dean Dorton because we are trained and experienced in performing audits. Our services are designed to:

  • Meet the specific needs and objectives of each client
  • Achieve the highest response rate and compliance rate
  • Properly handle a significant volume of confidential data
  • Provide open, strong communication channels with employees and management
  • Provide value and cost savings

If you would like to learn more about the solutions we can provide, please contact Jim Tencza at (502) 566-1071 or jtencza@deandortonstg.wpenginepowered.com to set up a consultation today.


View Jim Tencza’s Bio