November  2022

The reporting requirements under the Affordable Care Act (ACA) have been in effect since 2015. Many employers are already familiar with the rules. However, some employers, particularly those that have grown in size, may lack clarity regarding their reporting obligations under the law. As the deadlines for the 2022 ACA reporting roll near, it is important to review the basics of reporting, including any changes that may be applicable for the 2022 reporting year.

Basics of Reporting

The ACA created two federal reporting requirements under Internal Revenue Code (Code) Sections 6055 and 6056.

CODE SECTION 6055. Under Code Section 6055, insurance carriers and self-funded employers must report to the IRS and to covered individuals that the persons were covered by minimum essential coverage. These entities use Form 1094-B and Form 1095-B (B Forms) to report this information.

CODE SECTION 6056. Code Section 6056 applies to applicable large employers (ALEs)1 subject to the employer mandate or “pay or play” rules. ALEs must report information regarding their offer of health coverage to full-time employees by filing Form 1094-C and Form 1095-C (C Forms) with the IRS, and by distributing a copy of Form 1095-C to their full-time employees. The information on the forms will be used to determine whether the employer is subject to any pay or play penalties under Code §4980H. It will also be used to determine whether individuals are eligible for a premium tax credit on the Exchange.

Which Employers are Required to Report?

ALEs. Whether sponsoring a fully-insured or self-funded plan (see separate bullet for small, self-funded employers), employers who are ALEs must comply with the Section 6056 reporting requirements. To be considered an ALE for a calendar year, an employer must have employed, on average, at least 50 full-time employees including full-time equivalent employees during the previous calendar year. All types of employers can be ALEs, including tax-exempt organizations and government entities.

CONTROLLED GROUPS. All employees in a controlled group2 are counted when determining whether the employer is an ALE. If the combined total of all full-time and full-time equivalent employees of all employers within the controlled group meets the threshold, every employer in the controlled group is considered an ALE and is subject to Section 6056 reporting requirements.

SMALL, SELF-FUNDED EMPLOYERS. Small employers (i.e., non-ALEs) that sponsor a self-funded group health plan (including a level-funded health plan) must comply with the 6055 reporting requirements by using the B Forms. Note that ALEs that sponsor a self-funded health plan will comply with the reporting requirements under both Code Sections 6055 and 6056 by using the C Forms.

Reporting Forms

1094-B. This form acts as a transmittal form or cover sheet for Forms 1095-B to the IRS. The 1094-B requests only the following information: the filer’s name and address, EIN, information for an employer contact, total number of Forms 1095-B transmitted with the Form 1094-B, and a signature, title, and date. 1095-B. This form is used by insurers and small, self-funded employers to provide actual enrollment information of the individual and family members enrolled in minimum essential

1094-C. This acts as a transmittal form or cover sheet for Forms 1095-C, similar to a W3. Some information reported on this form includes the basic contact and identifying information of the employer, whether the employer offered minimum essential coverage to at least 95% of its full-time employees for each month of the calendar year, and the
total number of employees in each month.

1095-C. If you are an ALE (whether fully insured or self-funded), this form must be completed for every full-time employee, submitted to the IRS, and furnished to each employee. Large self-insured plans will also need to complete this form for any individual enrolled in coverage (i.e., part-time employees). This form requires the employer to detail its offer of coverage to the employee in order to avoid potential employer mandate penalties. As the IRS continues to assess Code 4980H penalties, it is critical to thoroughly check the coding of each employee on the form to make sure the information is correct and an accurate representation of each employee.

Deadlines for Filing

The due date for furnishing the 2022 Form 1095-B and 1095-C to individuals is March 2, 2023. Employers can deliver the forms to individuals by mail, in person, or electronically (with consent). The deadline for paper filing with the IRS is February 28, 2023 (March 31, 2023, if filing electronically). Electronic filing is mandatory if an employer is filing 250 or more Forms
1095-C and must be done via the ACA Information Returns (AIR) System. The IRS also has proposed regulations that would expand the electronic filing requirement to employers filing fewer than 250 forms. At the time, the rules have not been finalized, and the lower threshold is not included in the 2022 draft 1094-C and 1095-C instructions. While this lower threshold
is not likely to apply for the 2022 reporting in 2023, employers should review the final instructions upon release to ensure the rule has not changed.


If an employer fails to furnish the necessary forms to individuals or files incomplete or inaccurate ACA filing forms with the IRS, the IRS may impose penalties of up to $290 per form per failure for forms required to be filed or furnished in 2023. In past years, the IRS did not impose penalties for incomplete or inaccurate forms if the employer could show it made “good-faith efforts” to comply with the information reporting requirements (which requires the forms to be filed timely with the IRS). However, this relief was not extended for the 2022 forms due in 2023, so employers should no longer rely on this relief.

Employer Next Steps


COVERAGE. Confirm you offered minimum essential coverage that was affordable and provides minimum value to all full-time employees in 2022, and select the appropriate safe harbor used to determine the affordability of coverage.

FULLY INSURED. Avoid filing for non-full-time employees if not required (only required to report for non-full-time employees if they were enrolled in a self-insured health plan).

DOCUMENT RETENTION. Maintain records of hire and termination dates, along with documents substantiating compliance with the offer of coverage requirements (e.g. SBCs3, records of eligibility, election and waiver forms, etc.).

OUTSOURCED REPORTING. If working with an ACA reporting vendor or payroll provider, confirm that their system accommodates the updates made to the 2022 Forms. When transitioning to a new vendor or provider, it is critical to receive and maintain all records and data used to generate the past forms before terminating the contract.

STATE MANDATE. If your state has an individual mandate requirement, consult with your ACA reporting vendor to confirm that their system complies with the state’s filing requirements.


ELF-INSURED & LEVEL-FUNDED PLANS. If you sponsored a self-insured or level-funded group health plan in 2022, make arrangements to comply with the Section 6055 reporting requirements by completing the necessary B Forms.

EMPLOYEE COUNT. If you are close to the 50 full-time, including full-time equivalent, employee threshold, determine your future ALE status for 2023, so you can proactively prepare to meet the ALE reporting requirements the following year.

Additional Resources:


1094-C & 1095-C

1094-B & 1095-B




To Download a PDF version of this document, click here

HR Bulletin: Occupational Safety and Health Administration COVID-19 Vaccination Emergency Temporary Standard

The Occupational Safety and Health Administration (OSHA) has released the long-awaited emergency temporary standard (ETS) addressing mandatory vaccinations in the workplace.

UPDATE: On December 17, 2021, the Sixth Circuit Court of Appeals lifted the stay on OSHA’s 100+ Employee Vaccination and Testing Emergency Temporary Standard (ETS).  The court determined that the injuries claimed by the parties in opposition to the ETS were too speculative and the costs associated with delaying implementation of the ETS were too significant to uphold the stay.

As a result of the stay being lifted, OSHA made changes to the compliance deadlines previously in force.  Specifically, as long as an employer is exercising reasonable, good faith efforts to come into compliance with the ETS, OSHA will not issue citations for noncompliance with any requirements before January 10, 2022.  Further, they will not issue citations for noncompliance with the testing requirements before February 9, 2022.

The January 10, 2022 date is significant because the United States Supreme Court scheduled oral arguments for Friday, January 7, 2022 to determine if the ETS as well as the CMS Vaccine mandate should again be stayed pending full review of the merits of the litigation.  It is expected that due to the pressing nature of the issues, a decision by the Supreme Court will be issued shortly after oral arguments are complete, hopefully prior to the January 10, 2022 date set by OSHA for partial compliance with the ETS.

Employers that are covered by the ETS or the CMS Vaccine mandate should begin good faith compliance efforts in preparation for the upcoming decision by the Supreme Court.  A review of the key components of the ETS standards are contained in this publication and should be reviewed as a refresher for employers

Please click here to continue reading our AHERN Human Resources Bulletin.

Plan sponsors of group health plans providing prescription drug coverage to individuals who are eligible for Medicare Part D prescription drug coverage are required to satisfy certain notice requirements.

Each year, Medicare Part D requires group health plan sponsors to disclose to individuals who are eligible for Medicare Part D and to the Centers for Medicare and Medicaid Services (CMS) whether the prescription drug coverage is creditable.

The creditable coverage disclosure notice alerts individuals as to whether their plan’s prescription drug coverage is at least as good as the Medicare Part D coverage (in other words, whether their prescription drug coverage is “creditable”). Medicare beneficiaries who are not covered by creditable prescription drug coverage and who choose not to enroll in Medicare Part D before the end of their initial enrollment period will likely pay higher premiums if they enroll in Medicare Part D at a later date.

CMS has provided two model notices for employers to use:

Please click here to continue reading our AHERN Benefits Brief. This Benefits brief covers how to determine whether a prescription drug plan is creditable, notice requirements, whether there is a penalty for noncompliance, as well as CMS reporting.

By Daniel W. Hager

Corporate Counsel, Ahern Insurance Brokerage.

Written for 2021 issue of Arizona Attorney Magazine

Effective communication with clients is not only ethically required but it substantially reduces risk to lawyers.  A very large percentage of malpractice and ethics claims arise from poor communication.

Documenting advice to clients and their directions about the representation is not required by Arizona’s ethical rules in every situation.  There are exceptions, such as getting informed written consent in a conflict situation.  However, failing to document advice and client directions can substantially increase the risk of – and exacerbate – malpractice and ethical complaints.

ER 1.2 of the Arizona Rules of Professional Conduct require that “a lawyer shall abide by a client’s decisions concerning the objectives of representation and, as required by ER 1.4, shall consult with the client as to the means by which they are to be pursued.”

ER 1.4(a) requires that lawyers must “(1) promptly inform the client of any decision or circumstance with respect to which the client’s informed consent, as defined in ER 1.0(e), is required by these Rules; (2) reasonably consult with the client about the means by which the client’s objectives are to be accomplished; (3) keep the client reasonably informed about the status of the matter; (4) promptly comply with reasonable requests for information; and (5) consult with the client about any relevant limitation on the lawyer’s conduct when the lawyer knows that the client expects assistance not permitted by the Rules of Professional Conduct or other law.”

Lawyers may not take significant action without a client’s knowledge and consent, especially regarding settlement offers or other important decisions that must be made.  These rules require lawyers to generally abide by client decisions and to communicate effectively with clients.  They do not require that those client decisions and communications be documented in writing.  However, it is always the best practice to make a written record of such decisions by, and communications with, clients.

Particularly regarding major strategic decisions, settlements, and other important decisions that are not documented, if the matter ultimately goes badly for the client there is a significant risk that recollections may differ.  For example, a client may insist on a course of action the lawyer believes – and tells the client – will have adverse consequences for the client.  If those consequences come to pass – and the lawyer has not confirmed in writing the advice given, the client’s refusal to follow that advice, and the client’s insistence that another course be followed – the client may blame the lawyer for the bad outcome.  The client may even claim the lawyer decided the course to take without the client’s input or consent, or that the lawyer consciously refused to follow the client’s direction.

Without a writing memorializing the lawyer’s advice and the client’s directions, it becomes the lawyer’s word against the client’s in any later dispute.  Such “lawyer said/client said” situations increase the risk of bad outcomes in both ethics grievances and malpractice claims.

One effective way to communicate and document limits on a lawyer’s authority and obligations is to use written engagement agreements that clearly spell out the scope of the representation.  Equally importantly, they should specifically identify areas outside the scope of the representation, such as providing tax advice.  Well-drafted engagement agreements documenting the scope of the representation offer the additional benefit of the client having signed them as understood and agreed to.

Some clients may present situations where even carefully documenting important communications is not enough.  For example, a client may insist on taking actions the lawyer knows are criminal and seeks counsel’s advice on how to avoid being caught.  Or a client may direct the lawyer to take other unethical actions.  In such situations, documentation of communications is critical, but withdrawal from the representation altogether is the wisest course and may in fact be required under the applicable ethical rules.

Fortunately, most clients do not present such extreme situations.  But for any client, the lawyer is well-advised to memorialize or confirm all important client decisions and communications in writing.  Some situations may require a lengthy letter or memo to the file.  In other situations, a brief email confirming the client’s direction or consent to take a particular action is sufficient.  The key is to memorialize such important communications in writing.

Good communication with clients generally, and about major decisions in particular, will greatly reduce the risk of ethics grievances and malpractice claims.  Creating a written record of those communications provides lawyers with a critical additional layer of protection.

Many in-house attorneys fail to purchase Employed Professional Liability Coverage to protect themselves against potential lawsuits. Even though most claims are brought on by clients, employed lawyers are also subject to suits from third parties, such as employees, shareholders and government agencies. It is imperative that a successful organization and its legal staff recognize their real legal risks and then purchase coverage to protect against those risks.

Risks Facing In-House AttorneysThe following are just some of the many risks that in-house attorneys regularly face:

  • Attorneys at private companies face exposures when performing contract negotiations, giving advice to Human Resources professionals, assisting with mergers and reviewing contractual language.
  • For public companies, Sarbanes-Oxley (SOX) increases potential exposure—for publicly-traded companies only.
  • Since electronic information is discoverable and recoverable, it must be stored and preserved just like paper documents once were. In-house attorneys should work with IT professionals to ensure compliance with this rule.
  • Clients may sue over a contract that did not work in their favor in which the attorney had a hand in writing.
  • Termed employees may sue the employer and name the attorney for negligence.
  • Attorneys are at risk when performing moonlighting services or pro-bono work.

Insurance Protection— To protect against these risks, it is wise to purchase Employed Lawyers’ Professional Liability Insurance coverage, [Employed Lawyers Coverage]. Typical policies may feature the following:

  • Protection from demands, suits or proceedings for damages or injunctive relief
  • Policy may be written as either a “claims made” or “claims made and reported,” and a “duty to defend” or “non-duty to defend” basis
  • Responds to licensing proceedings for in-house attorneys to practice law
  • Deals with compliance for SOX
  • Provides defense against claims alleging wrongful acts
  • Wrongful acts and claim definitions are expanded and broad
  • Extends to pro-bono or moonlighting work done by in-house lawyers
  • Includes full-time on-staff attorneys and contract and independent contract lawyers and support staff members
  • Advance of defense costs, even if allegations are found to be groundless
  • Coverage extends globally
  • Coverage for non-client claims
  • Coverage for SEC and regulatory claims
  • Punitive damages coverage
  • Covers claims from coworkers that arise out of the attorney’s work at the organization
  • Covers costs for claims brought by the employer, board of directors and officers

In-house counsel should make sure they are protecting themselves from risk while they work to protect their employer from risk. Contact AHERN Insurance Brokerage to learn all about our insurance solutions for your business today. Based in San Diego, also serving the San Francisco and Los Angeles areas.


This Coverage Insights is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.  © 2011 Zywave, Inc. All rights reserved.


Lawyer’s professional liability coverage for attorneys and law firms in today’s business climate is a necessity, and in some cases is legally required. Although the overall number of legal malpractice insurance claims is leveling off, the number of large legal malpractice claims is sharply rising. Every attorney malpractice insurance provider anticipates paying claims in excess of $50 million every year. It is imperative that attorneys and law firms recognize emerging legal malpractice risks and purchase coverage to protect against risks.


Risks Facing Attorneys and Law FirmsAttorneys and law firms must face these risks relating to professional liability:

  • Attorneys and law firms face exposures when performing any professional legal services, including giving advice to clients and assisting with legal matters, performing notary public or title agent services and giving investment advice.
  • New technologies such as digital document storage, electronic filing of documents and mobile technology may pose serious cyber liability risks.
  • Prior acts of a law firm or individual member, including employees, may trigger risks when attorneys and/or their employees move into new positions with different law firms or go into solo practice.
  • Practicing in areas of law which may be new or unfamiliar to an attorney or law firm may be necessary in today’s economy, but it produces risk.
  • Attorneys are at risk when performing moonlighting services or pro-bono work, or even when giving “cocktail party” advice.
  • Attorneys may face exposure when pursuing other business opportunities with clients, or when acting in a dual capacity, such as an officer or director for a client’s business.
  • Attorneys and law firms may face risk in a number of general areas, including workers’ compensation, advertisers’ liability, reputation management, discrimination, claims brought by regulatory agencies and real estate claims.
  • Even changing insurance policies can carry risk, since policies can be worded slightly differently, or may contain a “prior knowledge” exclusion affirming that the attorney or law firm is not aware of any potential claims.

Disclosure of Liability Insurance— The American Bar Association (ABA) Model Rules of Professional Conduct serve as the model for state ethics rules; states often adopt these rules as their own. The ABA Model Court Rule on Insurance Disclosure requires that a lawyer disclose whether he or she is currently covered by professional liability insurance to the highest court of the jurisdiction, and that such information be made available to the public. The purpose of this Model Rule is to offer prospective clients the ability to make an informed decision when hiring a lawyer. More states, such as California, New Mexico and Pennsylvania, are requiring the same or similar disclosures of liability insurance status to prospective clients in their states. One state, Oregon, actually requires lawyers to carry professional liability insurance.

Insurance Protection— To protect against the many risks facing attorneys and/or law firms, as well as to satisfy any lawyer liability insurance disclosure requirements, it is wise to purchase lawyers’ professional liability insurance coverage. While there are many coverage options available, typical policies feature the following:

  • Protection from demands, suits or proceedings for damages or injunctive relief
  • A “claims made” or “claims made and reported” policy and a “duty to defend” or “non-duty to defend” basis
  • Defense against claims alleging wrongful acts (wrongful acts and claim definitions are expanded and broad)
  • Extensions to pro-bono or moonlighting work, or “cocktail party” advice by lawyers
  • Advance of defense costs, even if allegations are found to be groundless
  • Coverage for non-client claims
  • Arbitration of a coverage dispute between the insurer and the insured
  • Punitive damages coverage, or coverage of fines, statutory penalties and sanctions
  • Limits on deductibles, or deductibles treated on an aggregate basis

Limiting Liability— There are more ways to limit your liability apart from Professional Liability Insurance, such as the following:

  • Disclosing requested information in the insurance application and submitting the application well before the coverage date
  • Documenting the processes used to carry out professional responsibilities
  • Committing to loss prevention and using risk management services
  • Adopting and implementing malpractice prevention measures such as office management policies
  • Using effective calendaring and docket control systems
  • Using well-defined fee agreements with your clients including written documents to confirm the attorney/client relationship
  • Using an electronic conflict of interest search system
  • Practicing in the area of law in which you have experience, and appropriately supervising junior attorneys and support staff
  • Using peer review as part of your quality control procedures

Some of the benefits of attempting to limit your liability include lower professional liability insurance premium increases and avoidance of nonrenewal notices.

We Are Here to Help—All attorneys and law firms should make sure they are protecting themselves from the ever-increasing and emerging areas of malpractice risk by purchasing legal malpractice insurance and employed lawyers coverage. Since there is no standard policy, especially in today’s business climate, a knowledgeable agent is invaluable when purchasing professional liability coverage or when changing policies. We understand your business and can help design policy language to meet your unique needs. We can also help you obtain the most cost-effective policy available while providing the protection you need. Contact us here to learn all about our customized insurance solutions.


This HR Insights is not intended to be exhaustive nor should any discussion or opinions be construed as professional advice. © 2020 Zywave, Inc. All rights reserved.


Under a new law, California is bringing back the state’s COVID-19 Supplemental Paid Sick Leave — with some big changes. California employers with more than 25 employees must provide up to 80 new hours of supplemental paid sick leave for specific COVID-19-related reasons.

Employers must start providing this new leave on March 29, 2021, so they will need to get up to speed on this new law quickly.

Click here for more details and our full HR Compliance Bulletin.  You can also reference the Department of Industrial Relations FAQs and the mandatory workplace poster for further guidance.

Your client won after being sued in what she believed was a meritless case. Her defense fees were high. She wants you to sue her former adversary and his lawyer for malicious prosecution.

Think long and hard before taking the case. Malicious prosecution is notoriously hard to prove – the probable cause standard is low and malice difficult to prove. Study the elements of the tort carefully. Explain to your client – in writing –the challenges she will face. She will probably draw an anti-SLAPP motion, which will likely be granted. The other side will then recover its reasonable attorneys’ fees and costs in bringing the motion (and fees on appeal if the ruling is affirmed), which will be substantial.

Lawyers who do not educate clients about these significant risks often next find themselves as defendants in malpractice cases, by clients who justifiably ask, “Why didn’t you tell me this would happen?”

Written By: Daniel Hager, AHERN Corporate Counsel

Daniel W. Hager is Corporate Counsel to AHERN Insurance Brokerage and has spent his career practicing in the fields of lawyers’ professional liability, risk management, and legal ethics.

Let’s face it, the past several months have been rough on everyone. COVID-19 has radically disrupted our everyday lives, changed the way we do business and drastically increased the number of times we all say “strange” and “unprecedented.” One group that’s been thriving in the COVID-19 world, however, are Cyber Criminals. With the rush to implement “work from home” protocols, security has by and large taken a back seat to operational survival and Cyber Criminals have positioned themselves well to take advantage of this new reality. Poorly configured remote desktops, home “Wi-Fi” networks, a host of new applications and employees forced into the strange new land of remote working all add up to a perfect Cyber Storm. Luckily it’s not all gloom and doom and there are things you can do to help make your firm more resilient to Cyber Attacks.

As we take a closer look at Cyber Risk, it is helpful to consider two questions when thinking about these threats:

  • Do you have a Cyber Incident Response plan?
  • Will you survive a Cyber Attack?

Our friends Mike and Ben will make cameos later on to illustrate the importance of these two questions when determining your firm’s resilience in the face of Cyber Threats.

A good place to start is by examining “What’s at Risk” for your firm. Typically this can be broken down into three categories: Data, Disruption and Dollars.


a) Corporate Data: Every law firm is different, which means the type and volume of information will vary greatly from firm to firm. Personal Injury attorneys may have sensitive health information and medical records, M&A attorneys may have sensitive deal information, real estate and trust attorneys may have sensitive financial information in their files, etc. Think about the information your firm collects, stores and processes.

b) Employee Data: Regardless of what type of law you practice, every firm has employees. Think about all the information you take in when onboarding an employee: Name, Address, Phone Number, Social Security Number, Bank Account information for Direct Deposit, background checks, etc. As an employer it is your legal responsibility to protect this information.

c) Data in Transit: Data is at Risk while it is on your firm’s computers, while it is in transit (faxes, emails, texts) and finally, when it resides on a third party’s network. Many organizations believe that by utilizing a third party to store information they are absolving themselves of all responsibility for what happens after the transfer. However, the truth is much more complicated. Data Privacy Law states that the owner and/or collector of information maintains responsibility for that data, and the liability cannot be transferred via contract.


While the bulk of the discussion regarding Cyber Risk has historically focused around Data Breaches, (with good reason: they’re dangerous and tremendously expensive to deal with) the mass proliferation of Ransomware has now catapulted Business Disruption to the top of the list for concerned firms across the world.


Pretty straightforward. Cybercriminals are after your money AND your clients’ money.


Now that we’ve identified “What’s at Risk” for your law firm, let’s dive into “How Breaches Occur.” There are three main Cyber Threat Vectors: Outside Attackers, Insider Threats and Third Party Incidents.

Outside Attackers

Hackers. Typically depicted in a hoodie and gloves in a dark room (not ideal for typing), Hackers deploy malicious software, commonly referred to as “Malware,” in order to corrupt legitimate computer code for the hackers’ own purposes. A few different types of outside attacks are:

a) Ransomware: Ransomware is a specific type of malware that is designed to encrypt key files and/or systems, with an accompanying ransom demand in order to provide the decryption key. The newest and most costly form of Ransomware in the Cyber world today is called “Maze” Ransomware. A new twist on Ransomware, the group behind Maze, exfiltrates sensitive information, publishes the name of your firm online, then demands a ransom payment which (supposedly) guarantees that the Cyber Criminals will not publish all of your sensitive information online.

b) Keyloggers: Keyloggers are a type of Ransomware that when downloaded (via an errant click on a website, email attachment, etc.) quite literally logs the key strokes of your computer as you type. Keyloggers are typically used to pick up usernames and passwords which can then be used across various networks to inflict harm.

c) DDoS: Distributed Denial of Service attacks are brute force attacks designed to overwhelm a target with a flood of requests. Cyber criminals compromise and harness the power of various internet connected devices (computers, copiers, security systems, baby monitors, refrigerators, microwaves, etc. and yes, we’re serious about refrigerators), then direct that computing power at a single target, flooding the victims with billions or potentially trillions of requests per second until the targeted organization is completely overwhelmed and shut down.

d) Business Email Compromise: Business email compromise is exactly what it sounds like. A hacker gains access to your email or a vendor’s email and utilizes that email to fraudulently induce various parties to transfer money or sensitive information.

Insider Threats

As we’ve found, not all attacks come from the outside. Employees are also a large driver of Cyber Losses.

a) Malicious or Disgruntled Employees: One of the best examples of the damage a malicious insider can cause comes from a professional services firm in the UK. The story goes like this: Firm hires a new employee to perform data entry and data integration, employee works from 9-5pm and at 5pm leaves work and brings all their data from work home with them to their significant other who is a hacker, said hacker uses this information to commit wide scale insurance fraud.

b) Careless employees and Honest Mistakes: Phishing and Social Engineering attacks are designed to trick employees into disclosing sensitive information, transferring money to a bad actor or clicking on a link or attachment that provides the entry point for a malware payload. Lost and compromised devices such as laptops and mobile phones have also proven to cause huge losses to a variety of organizations and some Cyber Insurance carriers contain exclusions for the losses arising out of lost devices that are unencrypted.

Third Party Incidents

Everyone has had the story of the Target breach beaten repeatedly into their head at this point, but for a quick recap: a third-party contractor that did business with Target was compromised by a bad actor. The bad actor then used the third-party contractor as an entry point to infiltrate Target’s systems, ultimately resulting in the massive theft of credit card information belonging to Target’s customers and enormous financial losses for Target itself. While the chances are your firm is not the size of Target, it is helpful to use this example as a lens through which to view the third-party “Hub and Spoke” security issue. Think of your firm as the “Hub” in this scenario, with all the third party vendors you use every day as the “Spokes.” Your firm is doing a great job with cybersecurity due diligence and purchases Cyber insurance. In essence, the “Hub” is protected. Are all of your “spokes” (cloud providers, billing services, credit card processors, software vendors) protecting themselves the same way? How are you validating or contractually mandating them to do so?


Solutions:  Cybersecurity + Cyber Insurance = Cyber Resilience

Finally some good news. While the Cyber world can be a scary place, the good news is there are actions you can take to help prepare your firm for Cyber Incidents.


There are a TREMENDOUS number of Cybersecurity solutions out there, so many, in fact, that sometimes we’re tempted to throw our hands up and say “Where do I even start?” While this is by no means an exhaustive list, these are some of the easiest to implement and effective steps your firm can take right now to harden your firm’s Cyber Risk posture:

  1. Firewalls and Anti-Virus Software: Will this prevent your firm from being compromised? Not necessarily. Does it help protect you? Yes. Think about this from the analogy of a burglar looking to rob a house. The firewall or anti-virus is a fence around the property. Does a fence prevent every burglary? Absolutely not. Does it make it a little bit harder? Yes.
  2. Strong Passwords and Password Management: Everyone reading this probably just rolled their eyes, but the bottom line is that a huge number of Cyber Incidents could be thwarted by stronger passwords and password management. There are a ton of good vendors out there that can help!
  3. Back-Ups: Make sure you are backing up your information. There are a variety of different ways to do this and a proper discussion of back-ups would require an article unto itself. Oftentimes folks are lulled into a false sense of security because “everything is backed up” only to find their back-ups have been compromised or they haven’t tested them in 10 years. The bottom line, however, is that back-ups are important. Make sure you back up your data in one way or another.
  4. Employee Training: The vast majority of Cyber Incidents involve the human element at some point in the process. Training employees to be on the lookout for suspicious emails or behavior within the company will go a long way in creating a company culture that takes Cyber Risk seriously.
  5. Multi-Factor Authentication: Enabling multi-factor authentication (using two or more pieces of information to validate a user) is an incredibly simple way to harden your defenses. The leader of the Cyber Practice at a large Insurer recently shared that about 1/3 of their recent claims could be prevented by properly implementing Multi-Factor Authentication.
  6. Patching: Remember all of those little notifications that pop up and tell you that an update is available? Those are important! It means that someone found a vulnerability AND they also found a way to patch that vulnerability.
  7. Constant Testing and Updating: Once you’ve established cybersecurity protections, back-ups, incident response plans, etc. make sure you test them!

Cyber Insurance

A lot has changed in the Insurance world over the past 5-10 years and nowhere is that more evident than in the world of Cyber Insurance. Before we get into the specifics of Cyber Insurance, let’s understand what Cyber Insurance is at a high level:

Cyber Insurance is a risk transfer mechanism that shifts the financial burden of a Cyber Incident from an organization to an Insurer.

Okay, that sounds nice but what does it do?

First Party Coverage

  1. Cyber Incident Response: Carriers have partnered with a wide-variety of law firms, forensics teams and PR experts to provide immediate and effective response to a Cyber Incident. The Incident Response portion of a Cyber Policy provides access to and funding for:

    a) Data Breach Coach: A law firm specializing in responding to Cyber Incidents.
    b) Forensics Teams: Your “boots on the ground.” These folks will determine: What happened? Is it still happening? What do we do now?
    c) Notification Costs: Do we have to notify anyone? If so: Who? How? When? What will be our message? The “Where” is also crucial, as there are currently 50 different state guidelines for data breach notifications and the laws apply to the affected individual rather than the affected organization, so you could have one breach that triggers multiple state reporting guidelines.

  2. Extortion/Ransomware Coverage: Provides coverage for Ransom payments and expenses arising out of a Ransomware threat.
  3. Digital Data Recovery: Covers the cost to restore, replace, recreate, re-collect or recover Digital Data from records that have been corrupted, stolen or destroyed.
  4. Business Interruption: Covers loss of Income (net profit before taxes) and extra expenses that a business suffers to an interruption or degradation in service cause by a Cyber Incident. Note: Business Interruption due to Cyber Incidents is now widely excluded under traditional Insurance Policies.
  5. Cyber Crime: Theft of funds or securities is technically covered under Crime Insurance, however there is a clear overlap between Cyber and Crime in this case. It is crucial to understand how your Cyber and Crime coverages interact to ensure that you are covered for a Cyber Crime loss.

Third Party Coverage

  1. Privacy/Network Security Liability: Covers defense and settlements for third party liability claims arising out of:
    a) Actual/alleged failure of Network Security
    b) Actual/alleged failure to protect Personal, Protected or Confidential Info
    c) Actual/alleged failure to prevent the transmission of malicious computer code
  2. Regulatory Proceedings: With the ever-expanding list of Data and Privacy Regulations (HIPAA, CCPA, BIPA, GDPR to name a few), coverage for regulatory actions and investigations has never been more important.
  3. Payment Card Industry (PCI) Fines and Penalties: Coverage for losses which an organization is legally obligated to pay as a result of the insured actual or alleged failure of Network Security or failure to properly handle, protect, dispose of Payment Card Data.
  4. Media Liability: Coverage from claims pertaining to an organization’s display of Media Content on their website, in printed material or Media content posted by or on behalf of an organization on any social media site.

Benjamin Franklin and Mike Tyson: Cyber Experts

“Failing to plan is planning to fail” – Benjamin Franklin

“Everyone has a plan until they get punched in the mouth” – Mike Tyson

Although these two probably didn’t have a tremendous amount in common, we have brought them together here because their sage words help frame the approach your firm should take to Cyber Risk.

Make a plan! Fortify your defenses with cybersecurity best practices, develop an internal response plan for a Cyber Incident, and transfer the financial cost of an Incident to an insurer who will also bring in an external Cyber SWAT team to get you back up and running ASAP.

Test your plan! Plans look nice on paper, but as our friend Mike reminds us, when things get real, plans tend to go out the window. Make sure you test your plan and everyone involved knows their roles and responsibilities.

The Cyber World can be a scary place but there are lots of ways to help make it safer for your firm. The worst thing you can do is to do nothing; take action today. And if you ever find yourself overwhelmed or scared, just imagine Ben Franklin and Mike Tyson talking you through all of this… That should help!


Written By: Adam Abresch | Acrisure National Cyber Risk Practice Leader

As the Cyber Risk Practice Leader at Acrisure, (parent company of AHERN), Adam is responsible for designing custom Cyber, Crime and Technology solutions for Acrisure clients across the globe. Adam is also a guest lecturer at Fordham University, Hofstra University and leads Cyber Liability education for over 250 Acrisure Partner Agencies throughout the country.

Adam is a frequent speaker and thought leader on Cyber Risk, including featured presentations at NetDiligence, the Professional Liability Underwriters Society (PLUS) Cyber Conference and the New Jersey and New York City Bar Associations. A proud Tarheel, Adam graduated from the University of North Carolina at Chapel Hill and maintains a Certified Insurance Counselor (CIC) designation, Cyber COPE Insurance Certification (CCIC) from Carnegie Mellon/ Chubb and was the recipient of NetDiligence’s 2019 Toby Merrill Rising Star Award.


Substantial portions of this work appeared in the November 2020 issue of Orange County Lawyer magazine (Page 40). The views expressed herein are those of the Author(s). They do not necessarily represent the views of the Orange County Lawyer magazine, the Orange County Bar Association, The Orange County Bar Association Charitable Fund, or their staffs, contributors, or advertisers. All legal and other issues must be independently researched. Reprinted with permission.

Since the onset of the COVID-19 pandemic, companies across the globe have been working to develop a COVID-19 vaccine. As the pandemic continues on and vaccine clinical trials progress, there may be a possibility of a COVID-19 vaccine being approved for use in the foreseeable future.

The prospect of a vaccine is exciting to most, but also presents challenges for employers. Employers may be considering whether vaccination will be encouraged or mandated.

Employers must navigate the inherent legal risks and logistics of mandating or encouraging employees to receive the COVID-19 vaccine. To do so, employers should seek legal counsel to discuss which course of action is best for their organization. This article provides a general informational overview of considerations for employers.

Governmental Guidance

The Equal Employment Opportunity Commission (EEOC) and OSHA have both issued guidance on vaccines in the employment context in the past, but make no specific mention of a COVID-19 vaccine.

OSHA Guidance

Per OSHA, employers can require employees to receive vaccinations for influenza, providing they properly inform employees of “the benefits of vaccinations.” In addition, OSHA states that employees can refuse a vaccination due to a reasonable belief that they have an underlying medical condition that creates a real danger of serious illness or death, and that they “may be protected under Section 11(c) of the Occupational Health and Safety Act of 1970 pertaining to whistleblower rights.”

EEOC Guidance

The EEOC, which enforces the Americans with Disabilities Act (ADA) and Title VII of the Civil Rights Act of 1964 (Title VII), has also issued guidance regarding vaccines in the employment context. Specifically, in March 2020, the EEOC addressed whether employers covered by the ADA and Title VII can compel employees to receive the influenza vaccine. In this guidance, it was noted that there was not a COVID-19 vaccine yet.

Additionally, the EEOC explained that an employee may be entitled to an exemption from a mandatory vaccine based on a disability that prevents the employee from taking the vaccine. This would be considered a reasonable accommodation, and the employer would be required to grant the accommodation, unless it creates an undue hardship for the employer. The ADA defines an undue hardship as an action requiring significant difficulty or expense when considered in light of factors such as an employer’s size, financial resources, and the nature and structure of its operation.

The EEOC also states that, under Title VII, employees with sincerely held religious beliefs may be entitled to an exemption from a mandatory vaccination, which is considered a reasonable accommodation, unless it creates an undue hardship for the employer. Note that undue hardship under Title VII is defined as a “request that results in more than a de minimis cost to the operation of the employer’s business.” This is a much lower standard than under the ADA.

As such, these exemptions and the discrimination risk posed by mandating employees to receive any vaccine—including a COVID-19 vaccine when and if it becomes available—have led the EEOC to advise employers to simply encourage vaccination rather than mandating it.

Employer Considerations

There are a host of considerations employers need to review before coming to a decision on whether to encourage or require employees to receive a COVID-19 vaccination.

Employers should consider the following when reviewing their options:

  • Evaluating undue safety burdens—Employers will face the challenge of determining whether an employee poses an undue safety burden on co-workers by choosing not to get vaccinated (if the employer is simply encouraging receiving the vaccine) or being exempt from a mandated vaccination. When evaluating this consideration, employers will need to decide whether there are other precautions that can be put into place to protect employees, which may include:
    • Social distancing protocols
    • Requiring employees to wear masks at work
    • Leveraging telecommuting arrangements

Assessing and granting exemptions—If employers decide to require employees to get a COVID-19 vaccine, they will need to be prepared for the difficult task of determining whether an individual worker qualifies for a reasonable accommodation in the form of an exemption from receiving the vaccine under the ADA or Title VII. This assessment would need to be done on a case-by-case basis and could potentially leave an employer open to legal action should they wrongly deny an exemption request. In addition, the employer will also have to navigate protecting the rest of the workforce should an employee be exempt from being vaccinated.

  • Evaluating legal risks of requiring vaccines—Employers need to consider the possibility that they may receive legal claims if they require employees to be vaccinated and an employee experiences an adverse reaction to the vaccine or develops subsequent health problems.
  • Sorting out the logistics of requiring or recommending vaccination—Regardless of whether employers require or mandate COVID-19 vaccination, there are logistical elements to consider, including:
    • Will employers hold on-site vaccination clinics?
    • What vaccine, if more than one will be available on the market, will be used?
    • Who will pay for the vaccine?
    • Will the company require or cover the costs of vaccination for the employee’s family?
    • How long after the vaccine becomes available must workers receive the vaccine, if vaccination is mandated?

In addition to the considerations explained above, employers should consult legal counsel to determine whether there are unique risks to consider for their specific organization.

Employers should begin discussions on the topic of COVID-19 vaccinations at their organization today. Waiting until a COVID-19 vaccine is approved and readily available may leave employers open to overlooking important legal and logistic considerations.


This HR Insights is not intended to be exhaustive nor should any discussion or opinions be construed as professional advice. © 2020 Zywave, Inc. All rights reserved.