September 16 & 17, 2020 | Presented Virtually
By James N. McConnaughhay, General Chairman, Workers’ Compensation Institute, Inc.
Reprinted with permission from PropertyCasualty360, Sept. 1, 2020. © 2020 ALM Media Properties, LLC.
Further duplication without permission is prohibited. All rights reserved.
I recently reviewed an article in the Orlando Florida Business Journal describing a letter that a local employer received from a defense prime contractor advising that “if the (local company) wasn’t working to become compliant with new federal cybersecurity regulations, it was in jeopardy of losing out on future work on an (existing) contract worth $750,000” (a major contract for this small employer). For several years, the Workers’ Compensation Institute (WCI) had been reviewing the new cybersecurity standards and trying to determine whether these new standards applied to companies within the workers’ compensation community of employers. Because of the enormity of data and information retained by employers, insurance companies and others dealing with workers’ compensation issues, the concern was whether previously required compliance with cybersecurity standards might be expanded to relate to data/information retained as a matter of law for workers’ compensation purposes. There was a concern as to whether these same companies would be considered in the “defense supply chain” because of the expanded definition of that term requiring compliance with newly developed cybersecurity standards. Finally, even if the new cybersecurity standards do not apply to companies concerned with workers’ compensation issues (which is highly doubtful), the standards could well be utilized as a “best practice” method of protecting confidential information.
The new cybersecurity standards require adherence by a company within the defense supply chain to include not only prime contractors but also subcontractors and suppliers of services and products to defense contractors and subcontractors. Also, the described newly defined protected data would include information relevant to workers’ compensation issues. For this reason, WCI felt it to be essential to educate the workers’ compensation industry on the newly developed standards referred to as CMMC.
The breakout sessions on the new cybersecurity standards were initially to be held at the 2020 Workers’ Compensation Educational Conference in Orlando. Unfortunately, the conference was postponed until 2021 because of the Covid-19 Pandemic. However, because of the urgency of getting information to unknowing employers and others that are a part of the workers’ compensation community, it was decided to present the sessions in a virtual format to be held on September 16-17, 2020.
In creating the cybersecurity sessions, the initial question was how many companies/employers have been presently designated as being in the defense industry that would unquestionably be subject to the new CMMC standards. Based on current information, we determined that the Florida military and defense industry has a $95 billion impact on this state’s economy. The defense sector provides 914,787 jobs employing Floridians in every county in the state. The defense sector constitutes approximately 9% of the state’s total economy, with Florida being the 4th largest recipient of defense contracts in the U.S. with over $17.5 billion in awarded grants annually. Most assuredly, it could reasonably be assumed that a major part of already designated military and defense industry employers/companies are also a part of the workers’ compensation community. You would think that these companies would know about the new cybersecurity standards and the need for compliance. Based on the experience of the company referenced above, obviously this is not the case.
Of even more concern is educating those companies/entities that have not in the past been considered to be in the defense industry. Under the new standards defining those companies required to be compliant, subcontractors and suppliers of services and products are included, unquestionably expanding into different areas those who must be compliant. If companies that have been designated as defense contractors in the past are not aware of the new cybersecurity standards as illustrated in the example of the company referenced above, it is probably reasonable to assume that companies that don’t even know they may be a part of the defense industry for meeting the new standards do not know of these requirements. In addition, protected data/information not only applies to classified information but also to “controlled unclassified information (CUI), information that no doubt is being retained for workers’ compensation purposes as a matter of law.
Recognizing the enormity of creating new cybersecurity standards, increasing the companies that must be compliant, and redefining protected data/information is consistent with recent actions taken by the U.S. Department of Defense (DoD). In July, 2020, the Florida Department of Economic Opportunity (DEO) was awarded a $1 million grant to create the Florida Defense Cybersecurity Training Program. Funding was intended to “be used to administer programs and training that assists small and medium sized defense contractors (as redefined by the recent standards) in becoming aware of and compliant with the DoD’s cybersecurity standards.” The initial action included educating companies with particular reference to the standards’ application and new processes. What the employer in Orlando was concerned about, as above referenced, is exactly what the new grant was intended to provide. Even though the grant is primarily intended for small and medium sized companies, the education provided will have tremendous applicability to large companies since they have to be sure that their subcontractors and providers of products and services are compliant. Otherwise, they may not be able to bid on defense contracts or unknowingly being in violation of the new new standards.
The cybersecurity forum will provide detailed information on these new standards and will be presented by DoD representatives that have been responsible for overseeing and developing new processes and standards. Presentations will also be made by committee members that were responsible for the preparation of the new regulations.
The Workers’ Compensation Institute in partnership with the Associated Industries of Florida Foundation will deal with cybersecurity in general and its importance in the world today. Senator Marco Rubio (R-FL) will present on the extreme importance of cybersecurity from an international standpoint. Selected industries will discuss their required sensitivity to cybersecurity concerns. A simulated cybersecurity breach will be demonstrated. Of additional significance is industry’s resilience planning and the U.S. Navy’s prediction of the consequences of a national crippling cyberattack on the economy of Florida. Finally, from an individual’s standpoint and that of an individual company, what are the legal and financial consequences of a cyber breach. Joining the discussion on this session will be the state Insurance Commissioner, David Altmaier, presenting on the consequences of cyber breaches and possible issues for collecting insurance policy coverages either on a first party (business interruption coverages) or third party claim. (Breaches caused by the insured’s negligence causing damages to third parties.) Compliance with required cybersecurity standards in the past could be based on the prime contractor’s good faith assurance that all cybersecurity standards had been met. This no longer is the case. Under the new standards, compliance must be certified by an actual third party audit.
The total full 2-day presentation presents the very best information that is available on cybersecurity and the consequences of a breach from an international, national and individual company basis. Further information can be obtained from the Workers’ Compensation Institute at www.wci360.com. A copy of the complete program can be reviewed at www.wci360.com/cyber/.
The Workers’ Compensation Institute annually sponsors the Workers’ Compensation and Safety Educational Conference which is the largest educational conference related to issues of importance that affects all players in the workers’ compensation industry. Not only are courses offered at the annual conference directly related to workers’ compensation, we also strive to educate on issues that significantly affect our industry. Cybersecurity unquestionably affects workers’ compensation and should be of significant interest to all.
Click here to watch a short video.