Best Value or Best Price? Is there really any debate?
Read More

Best Value or Best Price? Is there really any debate?

If you are a GTSC member serving federal customers through the GSA Multiple Award Schedules (MAS) program, you may already be feeling the effects of pricing policies adopted by the agency last year. For others vendors, these changes could disrupt your offerings and impede agencies from receiving the best available solutions.
While well-intentioned and possibly in response to pressure from fiscal conservatives on Capitol Hill, an emerging procurement trend is the GSA placing new emphasis on lowest price as the primary basis of award over historical best value in awards. SIA members, particularly integrators, have certainly felt the effect of GSA policy changes for justifying pricing.

The new policy follows a MAS contract amendment allowing the GSA to consider pricing on competitor contracts and pricing in “other venues” to make a fair and reasonable price determination in accepting/rejecting offers or requiring price reductions. However, the price comparison used is so wide that it includes prices from unverified and/or unqualified sources likely to be outdated or invalid, making the tool inaccurate. Simply put, these new GSA pricing guidance encourages contracting officers to conduct “apples-to-oranges” price comparisons through sources ranging from GSA Advantage to public Internet sites listing the products of vendors not subject to GSA requirements.

As federal contractors, GTSC members know that a business obtains a GSA Schedule Contact after negotiating fair and reasonable pricing with GSA as based on their commercial practices and their most favorable customer(s). These Schedule Contract holders are audited and re-negotiated again, when negotiating each five-year evergreen period afterward. If a vendor has already negotiated a best price determination for the basis of the contract award, why should there by further comparison of this vendor to another vendor to verify the pricing? If GSA negotiations are successful, government customers are getting better than or equal to a GSA supplier’s best customer. Right? Why then would such as supplier be required to change its pricing based on comparisons to vendors of different scale and/or not vendors not subject to the same GSA requirements? These are some of the questions on the minds of many GSA contractors seeking to provide best value to their government customers.

For suppliers within the security industry, the revised GSA pricing policy could have the following effects:

• Bogus or outdated internet prices could be used to disqualify legitimate offers.
• Security integrators could be forced to supply parts at comparison prices that do not include the service/maintenance component.
• Security integrators could be forced to remove key parts of a security system as pricing updates on components are often rejected, splintering the ability to offer a complete security system under the Schedule Program.
• Erroneous comparisons could be made among prices offered by dealers or distributor versus security integrators. Sales of individual items should have different pricing consideration than security integrators offering a total solution with trained and certified staff.
• Small businesses are put at a disadvantage when lowest price consideration overrides all others.
• Loss of participation in the MAS program could result due to unreasonably low prices.

The Security Industry Association strongly supports the MAS Program and sincerely respects the work of GSA contracting officers. Our members are optimistic that industry and GSA can work together to modify this price comparison policy and prevent businesses from concluding that the cost to maintain a GSA contract exceeds the intended benefit.

Contributing Author: Donald Erickson
don erickson croppedDonald Erickson is CEO of GTSC’s Strategic Partner, the Security Industry Association (SIA). He has served on the GSA Multiple Award Schedules Advisory Committee and worked for Senator Rod Grahms (R-MN) on telecommunications and technology policy.

Insider Threat Programs: 5 Easy Steps to Protect Your Company
Read More

Insider Threat Programs: 5 Easy Steps to Protect Your Company

The insider threat is a real concern across government and industry and unfortunately, we continue to see significant evidence of the damage incurred by malicious insiders, such as Snowden and Manning.  In the next few years, we will see changes to Government policy, including the National Industrial Security Program Operating Manual (NISPOM) to ensure we are properly protecting national security information and corporate assets.

Since the mere thought of how to create an insider threat plan can be overwhelming, the following five steps are intended to help you put things into perspective as you begin to develop and document your corporate plan.  There are many sources of information available for companies to reference (see list of sources).

Step 1:  Identify the Team

Assemble a team who can make decisions, change policies and understand the importance of the issues.  It is critical the team has a solid understanding of your overall business and your corporate assets.  You may want to include a member of executive management (COO) with budget authority as well as representatives from HR, Security, IT and your legal department.  Schedule a regular meeting time and assign someone on the team to take minutes.  An agenda can also be helpful as you begin to cover the elements of the plan.  The team needs to be able to work across the organization and have the synergy necessary to ensure that when a problem arises, it can be handled quickly.  The team should know the staff and be able to recognize concerning behaviors as potential indicators.

Step 2:  Conduct a Risk Assessment

One of the best ways to protect your company is to fully understand your assets and ensure you are taking the appropriate steps to secure them.  Sit down with executive management and outline what your corporate assets are, such as trade secrets, salary data, proposal data, proprietary data, sponsor or Government National Security data, strategic plans, Personally Identifiable Information (PII), and your IT systems and servers, etc.

Once you have established what the assets are, determine how well they are protected.  What is the risk if the information is leaked to a competitor or a foreign entity?  Look at who has access to the information.  You will want to take steps to limit vulnerability by controlling access to files by staff who do not need the information to complete their job function.  In addition, ascertain if someone terminates to go to a competitor, or for any reason, that you understand immediately what information the person has access to.  Ensure you have procedures in place to be able to take immediate steps to terminate access to information.

Determine if you want to hire consultants to conduct a risk assessment or if you prefer to handle the risk assessment with the senior staff in-house.  The benefit of utilizing consultants may be an unbiased result but may be cost prohibitive.  You might find that you would rather allocate funds to purchase new equipment, such as a new firewall, to protect the assets.

Step 3:  Tighten Up Procedures/Policies

Ideally, the insider threat team will work together to strengthen the procedures, gather feedback, implement changes, and document the new policies as part of the plan.

Start this step by looking at the procedures and policies currently in place to protect  the assets you identified during the risk assessment.  For example, if you have identified certain proposal data as proprietary, you should engage your IT staff to monitor who is downloading the data.  You can also tighten up the procedures surrounding the termination of employees to ensure they understand the NDA’s they signed.  This will protect your company’s assets.  If possible, at the first notification of a termination, look at what the employee has been accessing for the past 30 days.  At this time, remind the person of the NDA signed at date of hire.

In addition to tightening up procedures, adapt an Acceptable Use Policy for your company.  The purpose of an Acceptable Use Policy is to outline the proper use of company information systems.  The policy is established to protect the employee as well as your company from risks (including virus attacks, compromise of network systems and services, and legal issues) due to inappropriate use and/or malicious conduct.  Ensure your staff understands the Acceptable Use Policy and the sanctions associated when the policy is violated.

Step 4:  Security Education

Security education can be as creative as you are!  Many companies that contract with the Government have a security education program in place.  Supplementing the plan with insider threat material is easy with all the resources available online.  The goal of the security education program is to ensure your employees understand how to recognize a threat, both internal to the organization as well as from the outside (such as recruitment), the importance of reporting the potential threat, and how to file a report.

Encourage your staff to report and provide a confidential means of reporting.  If your staff is required to report adverse information, remind them of the requirement.  Reporting may lead to early detection of malicious insiders as well as possible recruitment.

Below are a few examples of indicators but please refer to the sources below for more detailed lists of threat indicators and observable behaviors that may indicate someone is involved in malicious activities.

  • Unexplained affluence or excessive indebtedness
  • Efforts to conceal foreign contacts, foreign travel or foreign interests
  • Requesting access to or accessing information outside official job duties including sensitive or classified information
  • Disgruntled behavior at work
  • Drug or alcohol abuse, excessive gambling, or criminal activity
  • Questionable judgment or untrustworthiness
  • Apparent mental, emotional or personality disorders
  • Working odd hours (suddenly changing working hours)
  • Printing or downloading files excessively

Here are a few ideas to introduce and begin to implement your insider threat program.  Add a few slides to your annual refresher training as a means of introducing the topic and outlining the requirements for reporting.  You can also add to or begin to publish a monthly newsletter to highlight threat indicators and reporting procedures.  Both DSS and the FBI websites have downloadable brochures with relevant information.  If you need a little humor, Threat Geek has great cartoons with insider threat content that will deliver your message in an entertaining way.

Step 5:  Document Your Plan

By the time you get to this step you should be well on your way toward creating a successful plan.  If you have maintained good notes along the way, it will be easy to put the results of your risk assessment, new policies and procedures you have implemented, the details of your security education program, and the team responsibilities into a corporate plan.

Remember, you are never done!  Insider threat is an ongoing and evolving issue and your plan should be continuously amended as you gain more experience working through various issues that arise.

Contributing Author:  Katherine D. Mills

Kathy Mills square

Katherine D. Mills is Chief Security Officer and Security Director for GTSC Member CENTRA Technology, Inc.   She has over 20 years experience in security and at CENTRA is responsible for all aspects of security operations under the company’s National Industrial Security Program, including personnel, program, physical, and information security, at both CENTRA’s Arlington and Burlington locations. 

 

Sources:

CERT: Common Sense Guide to Mitigating Insider Threats

DSS: Insider Threat Courses & Brochures

FBI: Insider Threat Briefing

ONCIX: Insider Threat Relevant Reports, Briefings & Reading Material

American Society Industrial Security, Security Management, October 2013:

Threat Geek, cartoons for security education

  • http://www.threatgeek.com/
GTSC Member Efiia offers Project Management Training FREE for Vets
Read More

GTSC Member Efiia offers Project Management Training FREE for Vets

Efiia Cares, The Dixon Center, Orion International, and McDermott Will & Emery LLP are offering an intensive project management training and career transition program for veterans and spouses starting in January 2014.
Participants will learn the fundamentals of project management, industry standards, and best practices based on real project engagements. Following a full day of intensive classroom instruction, participants receive individualized support and mentoring throughout the year from experienced professionals. The program is targeted to participants with little or no project management experience and it includes the following:

– Intensive classroom instruction on project management fundamentals
– Group exercises and case studies
– Public speaking and presentations
– Resume writing support
– Practice interview sessions
– Ongoing mentoring and support
– Training on management tools (Word, Excel, PowerPoint, Project, iBooks, Prezi)

The first class will be held on Saturday, January 25, 2014 from 9am to 5pm in downtown Washington, D.C. Additional classes will be offered throughout the year.

To apply for the program, please fill out the online form at www.orioninternational.com/efiia-cares-project-management-training/learn-more/ no later than December 31, 2013. Please note that space is limited for the January 25 class. For more information contact [email protected]

DHS Releases Privacy Office’s Annual Report to Congress: Any Progress?
Read More

DHS Releases Privacy Office’s Annual Report to Congress: Any Progress?

In November, the Department of Homeland Security’s Privacy Office issued its annual report to Congress.  The report, which covers the period from July 2012 through June 2013, was a few months late.  The incoming Chief Privacy Officer (CPO), Karen Neuman, announced the release of the report.

Neuman came to the Department from a boutique privacy law firm, having replaced Mary Ellen Callahan, who left DHS to return to private practice in August 2012.  In the interim, Deputy Chief Privacy Officer for DHS, Jonathan Cantor, served as acting CPO.  The 2013 Annual Report is 89 pages long, and covers Privacy Office’s efforts in five key areas, or goals.  From the report, they are:
  • Goal 1 (Privacy and Disclosure Policy): Foster a culture of privacy and transparency, and demonstrate leadership through policy and partnerships;
  • Goal 2 (Advocacy): Provide outreach, education, training, and reports in order to promote privacy and openness in homeland security;
  • Goal 3 (Compliance): Ensure that DHS complies with federal privacy and disclosure laws and policies and adheres to the DHS FIPPs;
  • Goal 4 (Oversight): Conduct robust oversight on embedded privacy protections and disclosures in all DHS activities; and
  • Goal 5 (Workforce Excellence): Develop and maintain the best privacy and disclosure professionals in the Federal Government.
These goals align, mostly, with the six key functions of a public sector privacy office:  policy; compliance; oversight; incidents and breaches; education and training; and engagement and outreach.  Workforce excellence, while important at any organization, seems to be a curious goal for the Privacy Office, with barely a page of discussion on the goal in the main body of the report.
Importantly, the annual report makes clear that privacy at DHS is much broader than found in Privacy Act offices at most other Federal agencies.  The DHS Privacy Office has been at the forefront on privacy and privacy policy within the Federal Government, often out in front of the Office of Management and Budget, the entity charged with responsibility for the Privacy Act of 1974, the main privacy law applicable to the Federal government.
During the period of the 2013 annual report, the Privacy Office worked on, and issued Department-wide policy, in a number of areas, to include: information sharing with the Intelligence Community; research projects at the Department; and the conduct of Privacy Office investigations under expanded authority from the 9/11 Commission Act.  Under “advocacy” – encompassing the key functions of “education and training” and “engagement and outreach” – the Privacy Office set up a working group to consider unmanned aircraft systems (UAS) and worked together with the Civil Rights and Civil Liberties Office to inform civil society of the Department’s efforts with respect to Presidential directives on critical infrastructure.  The office also had substantial contact with data protection authorities, members of parliament, and officials from justice and interior ministries from around the Globe.
Compliance, the heart of any agency privacy program, showed significant improvements.  During the reporting period, the Privacy Office approved 87 Privacy Impact Assessments (PIA), under Section 208 of the E-Government Act of 2002, and 24 System of Records Notices (SORN), under the Privacy Act of 1974.  Among the PIAs was the first ever for a Federal agency on the use of UAS.  The Office also reviewed over 200 intelligence products and over 500 intelligence information reports, to assure that the minimum necessary amount of PII is disseminated in these intelligence documents.
On oversight, the Privacy Office conducted a comprehensive review of the Department’s compliance with the Automated Targeting System (ATS) PIA and SORN, and the joint US/EU Passenger Name Record Agreement prior to the European Commission’s 2013 Joint Review of PNR.  The Office also completed several Privacy Compliance Review reports on various Departmental programs, to include the use of social media for situational awareness, the E-Verify Self Check Program’s use of a third-party identity proofing service, and information sharing.
It is worth noting that the DHS Privacy Office Annual Report, a statutory requirement under the Homeland Security Act, is critical to the office’s oversight responsibilities.  The report also has been the source of friction between Congress and the Executive Branch in the ten years of the Department’s existence.   In the first few years, the Privacy Office had difficulty in getting out the annual report in a timely manner, with the second report covering a two-year period.  Congress, viewing the annual report as an independent means of receiving objective information from the Privacy Office of Departmental matters affecting the personal privacy of Americans, was concerned with delays in issuance of the annual report and, accordingly, mandated in annual appropriations bills that no appropriated funds be used by anyone outside of the Privacy Office to alter, direct that changes be made to, delay, or prohibit the annual report’s transmission to Congress.
Congress followed up on the appropriations language with an even clearer and stricter limitation on perceived interference with the annual report in the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act).  Section 802(e)(1) of the Act states that the CPO shall “submit reports directly to the Congress regarding performance of the responsibilities of the senior official under this section [the Chief Privacy Officer], without any prior comment or amendment by the Secretary, Deputy Secretary, or any other officer or employee of the Department or the Office of Management and Budget. . . . ”  The 9/11 Commission Act also gave the Privacy Officer greater independence, akin to an agency inspector general, stating that the Privacy Officer reports to, and is under the “general supervision of,” the DHS Secretary.
The 2007 annual report’s issuance was stayed pending an opinion from DOJ’s Office of Legal Counsel on the language of section 802(e)(1). The Office of Legal Counsel eventually published an opinion, stating section 802 would not preclude DHS or OMB review of the report prior to its release.  Since 2007, there have been no further disputes between Congress and the Executive Branch over the CPO’s independence, and the annual report has been released Congress and the public in September of each year.

Contributing Author:  Hugo Teufel

Hugo Teufel

Hugo Teufel is the former Chief Privacy Officer of the U.S. Department of Homeland Security.  An attorney, he assists public and private sector clients in a wide range of areas including privacy and security; investigations, compliance, and corporate governance; defense and homeland and national security; government contracts formation, administration and litigation.
Strategic Sourcing Initiatives at DHS
Read More

Strategic Sourcing Initiatives at DHS

Jose Arrietta, Procurement Ombudsman at DHS discussed the agency’s procurement strategy and the agencies prioritization of Strategic Sourcing at the Department at GTSC’s recent annual meeting.

As a follow-up, Mr. Arrietta provided the following exceptions to Strategic Sourcing:

a.  Emergency operations – Specify the emergency operation, including the name, date, location, and description. Document how using a strategic sourcing contract vehicle would negatively impact the mission.
b.  National security – Include a written description of how using a strategic sourcing contract vehicle compromises national security.
c.  Remote locations – Specify the remote delivery location and include written analysis that quantifies the higher cost or delay that would result from using a strategic sourcing vendor.
d.  Greater savings – Purchases where the savings from using a non-strategic sourcing vehicle exceeds the savings from the strategic sourcing vehicle – Include a written analysis that shows the savings comparison. Documentation shall be signed by the official approving the exception (include name and title of official).
e.  Required by statute – Specify the statute that requires the use of a non-strategic sourcing vehicle.
f.  Priorities for Use of Government Supply Sources – Specify the supply source indicated as a higher priority in FAR Part 8.002 and the contract vehicle to be used. These sources may include Committee for Purchase from People Who Are Blind or Severely Disabled and mandatory Federal Supply Schedules. These sources may not include optional use Federal Supply Schedules because strategic sourcing contract vehicles have higher priority than optional use Federal Supply Schedules.

Strategic Sourcing Initiatives at DHS

 

Is your Business Really Prepared for the ACA?
Read More

Is your Business Really Prepared for the ACA?

Politics aside, what do you really need to know about ACA?  Some like it; some hate it. There’s seemingly “good news” for the uninsured, yet “bad news” for corporate America. Politicians stump about it, news media “chat” about it nonstop, everywhere you turn there’s something about Obamacare (Affordable Care Act – ACA). With all of the attention, it may be hard to get to the facts and harder to know what to expect, and how one might need to respond. So consider this the “short list” of the important elements of the ACA and what you may need to do about it.

Health Benefit Exchanges – We’ve all heard about the creation of Health Insurance Exchanges, but the focal point of these exchanges for employers deals with the definition of “small group.” The Small Group Market is defined as employers with 100 or fewer employees in the preceding year. However the Exchanges are run by the states that have the authority to define the small group market at 50 or fewer employees in the preceding year.

So what do you need to do? Be aware of how your state defines the small group market because it can have a significant impact on your ability to access the Exchange.

Play or Pay Tax – Larger employers will be potentially subject to the play or pay tax if they do not offer coverage and certain criteria are met, or if they offer coverage and certain criteria are met. Employers will be considered “large employers” if they have an average of 50 or more employees in the preceding year. Employees include “full time equivalent” employees, which are calculated on a monthly basis. The taxes (penalties) for being out of compliance are assessable on a monthly basis.

So what do you need to do? It’s imperative to understand BOTH the way full-time employees are calculated, as well as understand the way coverage is deemed suitable (and thus not subject to possible penalties).

Small Business Tax Credit – Only employers that have 25 or fewer full-time employees and meet other eligibility criteria requirements can claim the tax credit. The average annual wages for employers in this category must be $50,000 or less AND the employer must have a contribution arrangement in effect that satisfies the IRS requirement.

So what do you need to do? If you’re potentially in this arena, you need to understand the calculation of full-time employees as well as the salary calculation. You’ll also need to work with an accountant or tax professional who can help with IRS form 8941 in order to claim the credit.

Medical Loss Ratio – Depending on how the Small Group market is defined in your state, a group may be subject to either an 80% or 85% medical loss ratio standard. This will have an impact on the chances enrollees have of receiving a rebate: 85% for the Large Group Market and 80% for the small group Market.  The medical loss ratio is a spending requirement imposed on carriers providing coverage.  Rebates are only required if the carrier does not meet the applicable medical loss ratio standard.

So what do you need to know? This element will have an indirect impact on employers because it is directed towards insurance carriers.  Many carriers will have to decide if they are going to continue to offer plans in certain markets or if it no longer makes financial sense to do so. If carriers drop out or pull back offerings, the result will be potentially increased pricing for those who remain, and/or driving more people to the exchanges.

Record Keeping Requirements for Everyone – regardless of the size of the company, the ACA is requiring all employers to keep records of their employees, records that are to include household incomes (yes, even for the spouse not employed by the firm), and if they have enrolled in an exchange. The purpose according to ACA is to determine possible “cost-sharing” for those employees who are at or near the poverty level for an individual and/or family (hence why they are requiring family income).

So what do you need to know? Some might think, well, I don’t have any employees at or near the poverty line…however that does not mean you are not required to keep records.  Everyone is required.  On the other end of the spectrum there may be a Cadillac tax coming down the road in 2017 assessed against those who have plans that are “too rich.”

Other questions employers are asking include, “I’ve heard about grandfathering plans, can I (should I) do that and if so, how?”  “Should exchanges be a part of my company’s offering?”  As the ACA continues to unfold, there will likely be additional elements of it that employers will be forced to address.  The best advice we can offer to employers is: make sure you are working with a Financial Professional who understands the ACA and can help you navigate its impact specific to your firm. Have a plan, and get out ahead of it as much as possible.

P. Allen Haney President, The Haney Company

P. Allen Haney President, The Haney Company

Mr. P. Allen Haney is a Strategic Advisor to the Government Technology & Services Coalition. He is also a trusted advisor to business owners and nonprofit executives, Allen Haney is best known for solving problems. His consul on employee benefits, executive compensation, and retirement planning routinely vitalizes the health and sustainability of closely held businesses and associations.

He is most appreciated for his all-inclusive, uncompromising commitment to expand client capacity by uncovering risks and opportunities hidden in blind spots. Read more about Mr. Haney here.

 

Deciding to Pursue 8(a) Certification
Read More

Deciding to Pursue 8(a) Certification

As part of the strategic planning process at PReSafe Technologies, we regularly consider market opportunities and industry sectors that present sound, viable avenues for sustained revenue and growth that are aligned with our aim of protecting global digital assets. With the Federal government’s mission to protect the people, infrastructure and economy of our nation; its increasing emphasis on cyber security; and its position as one of the largest purchasers of goods and services in our economy, our decision to enter the Federal marketplace was clear.

PreSafe Tech LogoEntering a new market is a formidable and demanding endeavor, particularly for an emerging business in a recovering economy. It includes building new relationships and alliances and fundamentally understanding how business is conducted in order to be competitive and win business.  As an emerging business, it is crucial to remain efficient and effective during each step.  Our due diligence led us to the U.S. Small Business Administration (SBA) 8(a) program as an efficient and effective approach for entering the Federal marketplace.

PReSafe Technologies became aware of the SBA 8(a) program through online research, dialogue with colleagues and participation at meetings hosted by the Government Technology & Services Coalition (GTSC). The SBA 8(a) program is well suited for emerging businesses, particularly socially and economically disadvantaged entrepreneurs that aspire to gain a foothold in government contracting.

The SBA 8(a) application process is much more comprehensive (and lengthy) than most state programs with a similar focus on emerging, disadvantaged businesses. PReSafe Technologies found it was well worth the effort because of the significantly greater market opportunity, structured business development (annual reviews, business planning, systematic, evaluations) and executive leadership development opportunities.  Moreover, we believe that demonstrating success in the Federal marketplace may readily lead to increased opportunities in other private sector marketplaces.

PReSafe Technologies recently initiated the SBA 8(a) application process, and we expect that it will take some time before the anticipated successful outcome.  Our aim is to protect global digital assets and support the Federal government’s mission of securing the U.S. homeland. We seek to collaborate and remain optimistic about the opportunity to bring additional innovation, agility and high-quality solutions to the Federal marketplace through the SBA 8(a) certification process.

Learn more about the SBA 8(a) application process here.

Robert V. Jones President & CEO PReSafe Technologies LLC

Robert V. Jones
President & CEO
PReSafe Technologies LLC

Robert V. Jones is the President & CEO of PReSafe Technologies LLC. PReSafe Technologies LLC is a professional consulting, advisory and solution delivery company dedicated to protecting global digital information assets by identifying and eradicating cybersecurity threats thus enabling companies to do business with confidence in today’s global interconnected electronic marketplace. 

 

 

Cyber Security Insurance: Does Your Company Need It?
Read More

Cyber Security Insurance: Does Your Company Need It?

“Cybersecurity – A Special Report”…with newspaper headlines like this in the The Washington Post, cyber security is THE hot topic.  If your company uses a computer, credit card, checking account, files a tax return, employs smart phones, or uses iPads, your business is a target for losing intellectual property or becoming the vehicle for a cyber attack — with a huge financial loss as the result.

For individuals the theft or misuse of private information occurs daily.  Signals stolen while using public internet, misplaced cell phones, fishing attacks on home computers, and theft of personal computers happen throughout our society and result in long-term financial crisis.

Small Business owners face even greater obstacles from cyber attacks.  A recent National Small Business Association reported 44% of their 800 surveyed members had fallen victim to a digital break-in.  What are the steps we can take to help thwart these information criminals?  Solutions for both companies and individual citizens are very similar.

All business firms using the internet must have a strong risk management plan established and adhere to the rules in order to lessen the impact of cyber theft.  With the growth of cloud computing, use of smart phones and tablets, employees telecommuting, and digital information flowing outside the office, cyber attackers have many more access points.  The Federal Communication Commission (FCC) lays out guidelines to prevent cyber attacks.  Among their suggestions are:

  • Train employees in security principles.  Use strong passwords with expiration dates.
  • Protect information, computers and networks from cyber attacks.  Install fire wall security, the latest security software and web browsers.
  • Create a mobile device action plan.  Password protect devices, encrypt data, and install security apps and how to report lost or stolen equipment.
  • Make copies of all important data.  Store offsite or in the cloud.
  • Passwords and authentication.  Require unique passwords and change every three months.

Many businesses have the additional exposure of outsourcing data.  Many businesses share customer information with third parties who provide billing, payroll, and employee benefits.  Additionally, web hosting, HR services, and information technology services are frequently outsourced.  Despite this outsourcing exposure many businesses do not require third parties to cover costs associated with data breach in their contacts.  When using outside partners, what is the risk-management strategy they use to protect you against financial loss and reputation harm?

Because of the explosion in internet usage many companies are seeking contractual risk transfer and indemnification through insurance.  Starting in the early 1990’s insurance has changed to provide protection for cyber growth.  Today numerous insurance companies either provide stand-alone policies or add the protection with other coverages, such as Directors & Officers policies (D&O), Errors & Omission Policies (E&O), and Fiduciary Liability policies. An E&O policy is a type of professional liability typically issued to companies setting standards for them selves or other clients.  D&O liability coverage is designed to protect companies against their management decisions and covers directors, officers, staff and the organization itself.

Cyber Liability Policies should provide protection for both First Party and Third Party Claims.

First Party coverage includes:

  • Network and Information Security Liability
  • Communication and Media Liability
  • Regulatory Defense Exposure

Third Party coverage includes:

  • Crisis Management Event Exposures
  • Security Breach Remediation and Notification Expenses
  • Computer Program and Electronic Data Restoration Expenses
  • Computer Fraud
  • Funds Transfer Fraud
  • E-Commerce Extortion
  • Business Interruption and Additional Expenses

Cyber Insurance helps before the loss occurs by going through a thorough underwriting process to help highlight the potential risk exposures to be addressed.  Nevertheless, should the loss occur these policies help in determining the data leak, PR crisis, IT crisis, and the financial crisis.

The recommendation to combat today’s cyber threat involves risk management planning, assistance from third party partners, and insurance coverage to assist should a loss occur. For more cyber security tips, visit www.US-CERT.com. Learn about the FCC’s Small Business Cyber Planner here.

Mary Jordan, “CYBERSECURITY – A Special Report,” The Washington Post, Thursday, October 10, 2013

P Allen Haney

P. Allen Haney, President, P. Allen Haney Company

Mr. P. Allen Haney is a Strategic Advisor to the Government Technology & Services Coalition. He is also a trusted advisor to business owners and nonprofit executives, Allen Haney is best known for solving problems. His consul on employee benefits, executive compensation, and retirement planning routinely vitalizes the health and sustainability of closely held businesses and associations.

He is most appreciated for his all-inclusive, uncompromising commitment to expand client capacity by uncovering risks and opportunities hidden in blind spots. Read more about Mr. Haney here.

Certify Your Small Business as a Federal Contractor
Read More

Certify Your Small Business as a Federal Contractor

The Small Business Administration (SBA) shared these resources for how to certify your small business as a federal contractor. It can be a complicated road, but this is a great place to start!

SBA logoIf you’re a small business owner interested in making the federal government one of your next customers, you can benefit greatly from certifying your business first. Many government agencies require that a certain percentage of its work is set aside for small businesses (and woman-owned, veteran-owned and more), so certifying your business can help you successfully compete for government contracts. These resources can help:

You can also read up on additional certifications that can give your small business a competitive edge when pursuing government work. These include programs designed to help small businesses in historically underutilized rural and urban areas (HUBZone Program), socially and economically disadvantaged businesses (8(a) Business Development Program), as well as Woman-Owned or Service-Disabled Veteran-Owned businesses. Learn more here.