When a data breach or other cyber event occurs, the damages can be significant, often resulting in lawsuits, fines and serious financial losses. What’s more, cyber exposures impact businesses of all kinds, regardless of their size, area of focus, or status as a private or public entity.
In order for organizations to truly protect themselves from cyber risks, corporate boards must play an active role. Not only does involvement from leadership improve cyber security, it can also reduce liability for board members.
To help oversee their organization’s cyber risk management, boards should ask the following questions:
Does the organization utilize technology to prevent data breaches?
Every company must have robust cyber security tools and anti-virus systems in place. These systems act as a first line of defense for detecting and preventing potentially debilitating breaches.
While it may sound obvious, many organizations fail to take cyber threats seriously and implement even the simplest protections. Boards can help highlight the importance of cyber security, ensuring that basic, preventive measures are in place.
These preventive measures must be reviewed on a regular basis, as cyber threats can evolve quickly. Boards should ensure that the management team reviews company technology at least annually, ensuring that cyber security tools are up to date and effective.
Has the board or the company’s management team identified a senior member to be responsible for organizational cyber security preparedness?
Organizations that fail to create cyber-specific leadership roles could end up paying more for a data breach than organizations that do. This is because, in the event of a cyber incident, a fast response and clear guidance is needed to contain a breach and limit damages.
When establishing a chief information security officer or similar cyber leadership role, boards need to be involved in the process. Cyber leaders should have a good mix of technical and business experience. This individual should also be able to explain cyber risks and mitigation tactics at a high level so they are easy to understand for those who are not well-versed in technical terminology.
It should be noted that hiring a chief information security officer or creating a new cyber leadership role is not practical for every organization. In these instances, organizations should identify a qualified, in-house team member and roll cyber security responsibilities into their current job requirements. At a minimum, boards need to ensure that their company has a go-to resource for managing cyber security.
Does the organization have a comprehensive cyber security program? Does it include specific policies and procedures?
It is essential for companies to create comprehensive data privacy and cyber security programs. These programs help organizations build a framework for detecting threats, remain informed on emerging risks and establish a cyber response plan.
Corporate boards should ensure that cyber security programs align with industry standards. These programs should be audited on a regular basis to ensure effectiveness and internal compliance.
Does the organization have a breach response plan in place?
Even the most secure organizations can be impacted by a data breach. What’s more, it can often take days or even months for a company to notice its data has been compromised.
While cyber security programs help secure an organization’s digital assets, breach response plans provide clear steps for companies to follow when a cyber event occurs. Breach response plans allow organizations to notify impacted customers and partners quickly and efficiently, limiting financial and reputational damage.
Board members should ensure that crisis management and breach response plans are documented. Specific actions noted in breach response plans should also be rehearsed through simulations and team interactions to evaluate effectiveness.
In addition, response plans should clearly identify key individuals and their responsibilities. This ensures that there is no confusion in the event of a breach and your organization’s response plan runs as smoothly as possible.
Has the organization discussed and formalized a cyber risk budget? How engaged is the board in terms of providing guidance related to cyber exposures?
Both overpaying and underpaying for cyber security services can negatively affect an organization. Creating a budget based on informed decisions and research helps companies invest in the right tools.
Boards can help oversee investments and ensure that they are directed toward baseline security controls that address common threats. Boards, with guidance from the chief security officer or a similar cyber leader, should also prioritize funding. That way, an organization’s most vulnerable and important assets are protected.
Has the management team provided adequate employee training to ensure sensitive data is handled correctly?
While employees can be a company’s greatest asset, they also represent one of their biggest cyber liabilities. This is because hackers commonly exploit employees through spear phishing and similar scams. When this happens, employees can unknowingly give criminals access to their employer’s entire system.
In order to ensure data security, organizations must provide thorough employee training. Boards can help oversee this process and instruct management to make training programs meaningful and based on more than just written policies.
In addition, boards should see to it that education programs are properly designed and foster a culture of cyber security awareness.
Has management taken the appropriate steps to reduce cyber risks when working with third parties?
Working alongside third-party vendors is common for many businesses. However, whenever an organization entrusts its data to an outside source, there’s a chance that it could be compromised.
Boards can help ensure that vendors and other partners are aware of their organization’s cyber security expectations. Boards should work with the company’s management team to draw up a standard third-party agreement that identifies how the vendor will protect sensitive data, whether or not the vendor will subcontract any services and how it intends to inform the organization if data is compromised.
Does the organization have a system in place for staying current on cyber trends, news, and federal, state, industry and international data security regulations?
Cyber-related legislation can change with little warning, often having a sprawling impact on the way organizations do business. If organizations do not keep up with federal, state, industry and international data security regulations, they could face serious fines or other penalties.
Boards should ensure that the chief information security officer or similar leader is aware of his or her role in upholding cyber compliance. In addition, boards should ensure that there is a system in place for identifying, evaluating and implementing compliance-related legislation.
Additionally, boards should constantly seek opportunities to bring expert perspectives into boardroom discussions. Often, authorities from government, law enforcement and cyber security agencies can provide invaluable advice. Building a relationship with these types of entities can help organizations evaluate their cyber strengths, weaknesses and critical needs.
Has the organization conducted a thorough risk assessment? Has the organization purchased or considered purchasing cyber liability insurance?
Cyber liability insurance is specifically designed to address the risks that come with using modern technology—risks that other types of business liability coverage simply won’t cover.
The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure. As such, boards, alongside the company’s management team, need to conduct a cyber risk assessment and identify potential gaps. From there, organizations can work with their insurance broker to customize a policy that meets their specific needs.
Asking thoughtful questions can help boards better understand the strategies management uses to prevent, detect and respond to data breaches. When it comes to cyber threats, organizations need to be diligent and thorough in their risk prevention tactics, and boards can help move the cyber conversation in the right direction.
Cyber exposures impact organizations from top to bottom, and all team members play a role in maintaining a secure environment. However, managing personnel and technology can be a challenge, particularly for organizations that don’t know where to start.
That’s where Scurich Insurance can help. Contact us today to learn more about cyber risk mitigation strategies you can implement today to secure your business.
OSHA’s final rule on electronic reporting requires certain employers to submit data from their injury and illness records electronically so it can be posted on the agency’s website. Because the rule is an extra requirement on top of existing OSHA recordkeeping standards, affected employers need to be ready to comply with the rule before the proposed Dec. 1, 2017, deadline.
Other News and Tips
Preparing for OSHA Inspections
If an unannounced OSHA inspection finds violations at your business, you may have to pay thousands in fines and watch as your reputation plummets. Fortunately, OSHA inspections generally follow an established procedure that you and your staff can prepare for.
When an OSHA compliance officer arrives at your business, it’s important to check his or her credentials and then determine if you’ll give consent to the inspection. Although you can refuse an inspection or give only partial consent, the compliance officer will take note of this and OSHA may take further action.
Once an inspection begins, the goal should be to determine its purpose and set any ground rules. You should also be prepared to provide proof that your business is in compliance with OSHA standards. During the walkaround process, be sure to take notes of what the inspector documents so you can review them later.
OSHA inspections can be stressful, even when your business is in full compliance. Scurich Insurance can provide you with our inspection guide, “Be Prepared for an OSHA Inspection,” and help your business impress OSHA compliance officers.
OSHA Removes Employee Fatalities from Home Page
Although OSHA used to include a URL link on its home page that would direct viewers to a list of employee fatalities, the agency recently moved the link to a separate page on its website.
According to a spokesperson from the Department of Labor, the link was moved in order to increase the accuracy of workplace data, as previous listings included fatalities that were outside OSHA’s jurisdiction. However, OSHA will keep the list of employee fatalities on its website and continue to review data from employers.
Although the electronic reporting rule initially required certain employers to start submitting their required information by July 1, 2017, OSHA’s Injury Tracking Application website wasn’t ready to receive electronic reports in time, and OSHA proposed Dec. 1, 2017, as the new deadline. The rule doesn’t change an employer’s requirements to complete and retain regular injury and illness records, but some employers will now have additional obligations. Here are the requirements for the rule:
- Establishments with 250 or more employees that are required to keep injury and illness records must electronically submit the following forms:
- OSHA Form 300: Log of Work-Related Injuries and Illnesses
- OSHA Form 300A: Summary of Work-Related Injuries and Illnesses
- OSHA Form 301: Injury and Illnesses Incident Report
- Establishments with 20 to 249 employees that work in industries with historically high rates of occupational injuries and illnesses must electronically submit information from OSHA Form 300A.
The final reporting requirements will be phased in over two years. After the initial Dec. 1, 2017, deadline, establishments with 250 or more employees must submit information from OSHA Forms 300, 300A and 301 by July 1, 2018. Beginning in 2019 and every year thereafter, the information must be submitted by March 2.
For more help preparing for this new rule, call us at 831-661-5697 and ask to see our comprehensive Compliance Overview on OSHA’s electronic reporting rule.
New Silica Rule Enforcement Begins
A new OSHA rule on respirable crystalline silica will require employers to limit their employees’ exposure to silica hazards and provide medical exams to monitor highly exposed employees. The rule is scheduled to come into effect on June 23, 2018; however, OSHA began enforcement of the new rule in the construction industry on Sept. 23, 2017.
Under the new rule, employers must reduce the permissible exposure limit (PEL) for respirable silica to 50 micrograms per cubic meter of air (50 µg/m3). The rule also requires employers to take the following steps:
- Establish engineering controls to limit employees’ exposure to the new PEL.
- Provide employees with respirators when engineering controls alone do not provide enough protection.
- Establish a written silica exposure control plan.
- Provide medical exams to employees who are exposed to levels of respirable silica at or above the new PEL for 30 or more days a year.
To see more information on the respirable silica rule, and to see specifics about the rule’s application in the construction industry, visit OSHA’s website.
OSHA’s cranes and derricks operator certification standard becomes effective on Nov. 10, 2017.
Employers that use cranes and derricks in construction must comply with this standard. Employers should also become familiar with this standard if their employees work in areas or sites where cranes and derricks are in use. Finally, crane lessors that provide operators or maintenance personnel with the equipment they lease also have duties under the standard.
This Compliance Overview presents some frequently asked questions and answers compiled by OSHA regarding operator and signal person qualifications and operator certification.
LINKS AND RESOURCES
- OSHA’s cranes and derricks in construction website
- OSHA’s cranes and derricks FAQs
- OSHA’s small entity Compliance Guide for cranes and derricks in construction standard
OPERATOR QUALIFICATION & CERTIFICATION
On Sept. 26, 2014, OSHA published a final rule that extends the deadline for crane operator certification in the cranes standard at 29 CFR 1926.1427
for three years, to Nov. 10, 2017
(published in the Federal Register
). The final rule also extends the employer’s duty to ensure that operators are competent to operate the crane safely for the same three-year period. During this extension, OSHA will address operator qualification through additional rule-making. OSHA will provide updated information about the crane operator certification and qualification requirements as it becomes available on OSHA’s cranes and derricks in construction
What must employers do before the operator certification requirements go into effect to ensure the competency of their operators?
Employers must ensure that equipment operators are competent through training and experience to operate the equipment safely (see 29 CFR 1926.1427(k)(2)). If an employee assigned to operate a crane does not have the required knowledge or ability to operate the equipment safely, the employer must train that employee before allowing him or her to operate the equipment and must evaluate the operator to confirm that he or she understands the information provided in the training (see 29 CFR 1926.1427(f) training requirements).
Does OSHA require operators to be certified under existing state, county or city licensing programs?
The answer depends on whether the licensing criteria meets the minimum requirements (“federal floor”) in 29 CFR 1926.1427(e)(2) and (j). If a state or local jurisdiction has a licensing program that meets the federal floor, OSHA requires the employer to ensure that all operators operating within that jurisdiction are licensed by that state or local jurisdiction, unless they are qualified by the U.S. military (see §1926.1427(a)(1)).
This requirement went into effect in November 2010. Note, however, that the crane standard’s operator certification requirements do not supersede state or local licensing laws. If the licensing program does not meet the federal floor, OSHA does not require operators to be licensed in accordance with that program, although the operator may still be subject to action by the state or local authority for failure to comply with its requirements.
Who will determine if a state or local operator certification process meets the federal floor requirements in 29 CFR 1926.1427?
Initially, states or local governments are responsible for determining if a state or local operator certification program meets the requirements of 29 CFR 1926.1427(e)(2)(i-ii) (see §1926.1427(e)(2)(iii)).
OSHA does not require compliance with a state or local licensing requirement unless the state or local authority that oversees the licensing department or office assesses that program and determines that it meets the minimum requirements in §1926.1427(e)(2)(i) and (ii), including satisfying the substantive testing criteria of §1926.1427(j) through written and practical tests and providing testing procedures for relicensing.
OSHA does not intend to require compliance with a state or local licensing requirement absent a public statement by the authority with oversight responsibility for the licensing office that the licensing program meets OSHA’s minimum requirements and the reason for that determination. However, OSHA has the final authority in determining that the program meets minimum OSHA requirements.
Is the option for qualification by the U.S. military available to employees of private contractors working under contract to the Department of Defense?
No. This option is only available to civilian and uniformed employees of the Department of Defense. When the operator certification requirements are in effect, private contractors must use one of the other options for operator certification/qualification available under 29 CFR 1926.1427.
Does OSHA endorse or approve testing bodies for operator certification or other purposes under the cranes standard?
No. OSHA does not evaluate or approve crane operator training courses or crane operator certification testing bodies. Under the cranes standard, operator certification testing bodies must be accredited by a nationally recognized accrediting agency (29 CFR 1926.1427(b)(1)(i)). Currently the American National Standards Institute (ANSI) and the National Commission for Certifying Agencies (NCCA) are the two organizations that OSHA has identified as nationally recognized accrediting agencies.
SIGNAL PERSON QUALIFICATIONS
What qualifications must a signal person possess?
A signal person must:
- Know and understand the type of signals used;
- Be competent in the application of the type of signals used;
- Have a basic understanding of equipment operation and limitations, including the crane dynamics involved in swinging and stopping loads and boom deflection from hoisting loads; and
- Know and understand the relevant requirements of the provisions of the standard relating to signals.
How does an employer know whether a signal person is qualified?
Under 29 CFR 1926.1428, employers must determine that a signal person is qualified through the assessment of a qualified evaluator, who must meet one of the following definitions in §1926.1401:
- Third-party qualified evaluator (“an entity that, due to its independence and expertise, has demonstrated that it is competent in accurately assessing whether individuals meet the qualification requirements in this subpart for a signal person”). The signal person must have documentation from a third-party qualified evaluator showing that he or she meets the qualification requirements.
- Employer’s qualified evaluator (not a third party) (“a person employed by the signal person’s employer who has demonstrated that he or she is competent in accurately assessing whether individuals meet the qualification requirements in this subpart for a signal person”). The employer’s qualified evaluator assesses the individual, determines that the individual meets the qualification requirements and provides documentation of that determination. This assessment may not be relied on by other employers.
(See 1/9/12 Interpretation Letter to William Irwin, Jr. and 6/28/11 Interpretation Letter to Walter Wise.)
Must the required training and qualification of a signal person be performed by an accredited organization?
No, but employers must have documentation of the signal person’s qualifications available at the worksite, either in paper form or electronically. For example, the documentation may be accessed from a laptop or tablet, via email or be transmitted from an off-site location by facsimile. While a physical card may serve as proof of a signal person’s qualifications, it is not the only means allowed by the cranes standard.
The documentation must specify each type of signaling (e.g., hand signals, radio signals, etc.) for which the signal person is qualified under the requirements of the standard. The purpose of this documentation is to ensure the on-site availability of a means for crane operators and others to determine quickly whether a signal person is qualified to perform a particular signal for the hoisting job safely.
(See 1/9/12 Interpretation Letter to William Irwin, Jr. and 6/28/11 Interpretation Letter to Walter Wise.)
Do Union and Trade Association Apprenticeship Certification Programs qualify as third party qualified evaluators for purposes of evaluating signal person qualifications in accordance with 29 CFR 1926.1428(a)(1)?
OSHA’s cranes standard requires each employer of a signal person to use a qualified evaluator (a third party or an employee) to verify that the signal person possesses a minimum set of knowledge and skills (29 CFR 1926.1428(a)). In general, OSHA does not evaluate or endorse specific products or programs, and, therefore, makes no determination as to whether a certification program meets the definition of a “qualified evaluator (third party).”
It should be noted, however, that in the preamble to the cranes standard, OSHA stated that “labor-management joint apprenticeship training programs that train and assess signal persons would typically meet the definition for a third-party qualified evaluator…”
(See the preamble to the cranes standard in the Federal Register at 75 FR 48029.)
With regard to training, the employer is ultimately responsible for assuring that its employees are adequately trained regardless of whether the employees’ qualification is assessed by the employer or a third party.
(See 1/9/12 Interpretation Letter to William Irwin, Jr. and 6/28/11 Interpretation Letter to Walter Wise.)
Does a certified operator automatically satisfy the criteria for being a qualified signal person under 29 CFR 1926.1428?
No. To qualify as a signal person, the operator would need to be evaluated by a qualified evaluator, satisfy the specified testing requirements for signal persons under 29 CFR 1926.1428 and documentation must identify the types of signaling (e.g., hand, radio, etc.) for which the operator has been evaluated.
In some cases, the operator’s certification process may also satisfy the signal person qualification requirements, depending on the qualifications of the certifying organization, the content of the certification exam and the documentation provided by the certifying organization. In general, the qualifications of a signal person and an equipment operator are not considered one in the same.
I received a license or certificate from an accredited organization as a trainer in signaling. Does this qualify me to be an evaluator of the qualifications of signal persons?
Not necessarily. While being an accredited trainer may indicate that the trainer possesses the skills for effectively communicating subject matter to trainees, a qualified evaluator must also have demonstrated that he or she is competent in accurately assessing whether individuals have the qualifications required by the cranes standard. For further information regarding signal person qualifications, refer to related fact sheets.