In times of crisis such as the one we are all enduring, with inflated prices stemming from a number of factors including the war in Ukraine, supply chain disruption, food shortages, energy inflation and post-pandemic recovery, businesses, especially small businesses are having to scramble to not make a profit, but merely keep things afloat. 

Research suggests 40% of small businesses are likely to experience some sort of property or liability claims in the next 10 years. Dealing with claims can cause stress in enormity as needless lost time, huge expense and endless frustration. You don’t want to be in those situations do you? Here are a few information and tips that may help reduce the chances of having to go through such experiences.

According to studies, the top 5 common property claims are as follows:

1. Burglary or Theft 20%
2. Damage from wind or hail 15%
3. Damage from water or freezing 10%
4. Fire Damage 10%
5. Customer Slip and Fall 10%

As can be seen below, the cost can add up and add up quickly. The top 5 most common claims in order of frequency are as follows:

1. Reputational Harm 
2. Vehicle Accident 
3. Fire Damage 
4. Product Liability 
5. Customer Injury or Damage 

Risk prevention is highly advocated and smart decisions could save businesses substantial amounts of money, time and headaches. 

Burglary and Theft

One very common risk is the loss of property and money due to theft and robbery. We highly recommend all small businesses carrying out background checks instantly. This will allow the screening of potential candidates so that any prospects with red flags can be isolated efficiently.  Given the access to modern technology, proceeding with this task should not be too difficult.

One very common risk is the loss of property and money due to theft and robbery. It is highly recommended that background checks for potential candidates are carried out as soon as possible. Any candidates with red flags can quickly be identified and isolated. Given how modern technology is relatively accessible, proceeding with this task should not be too difficult.

Installing reasonable devices in your property can also add a layer of protection for your organization. Not only does it allow the protection of your properties, but it also monitors any movements and suspicious activity. Investing up a notch on the security system can go a long way to protecting your company’s assets, aids in catching criminals and acts as a repulsive force for thieves. 

Protect your reputation

Without question, the most expensive claim is regarding reputational harm. With such advancement in technology, companies should be extra careful and give its utmost importance in ensuring that their reputation remains intact.

1. Refrain from negative comments

It is highly recommended to avoid creating negative or defamatory comments, whether that is in print or digital. Reputational harm incidents generally lead to emotional distress and thus lawsuits often ensue.

2. Avoid untruthful statements

Whatever is said can be used against you, so it is vital that any advertisements or social media does not contain any untruthful statements. Falsely claiming something over your competitor or failing to publicly distinguish between truth and falsehood can lead to defamation lawsuits.

3. Educate employees about libel and slander

The perception of your business is often based on word of mouth, and nothing spreads faster than social media. Thus, employees who are involved in social media work must know what should and shouldn’t be said as they could run the risk of libel (written defamation) and slander (oral defamation).

It is integral that those involved in this area understand that expressing something that is not completely factual can have severe repercussions. One error from a single employee can affect the whole business, including other employees not involved in the case.

4. Monitor and moderate what other people write on your website

While engaging through comments and discussions can increase visibility and conversion rates, negativity cannot be controlled. Hence, monitoring these areas are crucial for a safe and respectful online community. A policy such as spam filters is highly advisable.

5. Be quick to fix any errors or negligence in your work

No one is perfect and people make mistakes. What matters most is how you respond to it. While it can affect the client and damage their reputation, it could result in a pricey litigation. Especially relevant to professional services, it is critical to quickly investigate the root of the issue and correct it. A public announcement can further soften the blow to demonstrate that every effort in fixing the problem has been made.

Zooming Out

As Warren Buffet once said, ‘It takes 20 years to build a reputation and five minutes to ruin it.” All your actions should portray this mindset if you are to minimize risks. After all, part of running a business is protecting from harm and liability. While reputational and theft may be considered the most common and expensive, to ensure that you are safe rather than sorry, other risks should also be taken into consideration such as product liability and property damage and liability.

Pandemic effects

The pandemic affected and is still altering lives in numerous ways, as businesses began grasping at straws and coming to terms of the stark reality ahead. Every facet of work changed dramatically and organizations had to swiftly adapt and tackle the situation head on. Remote working became the norm, as containing the spread of the disease became the priority. Although since the vaccine roll-out, some of the transformations have been reversed, the repercussions can still be felt today. One of such consequences is cyberattacks, as extending the company’s work perimeters presented a number of risks and vulnerabilities. This was affirmed by Check Point Research as their studies uncovered that there was an increase of 50% in weekly attacks on corporate networks globally, and while this trend does not appear to be averting any time soon, there are reasons for optimism should there be genuine actions in terms of comprehensive cybersecurity adjustment.

Vulnerability of remote work

Cloud
With remote work, it is important to address and understand the channels and the manner in which a data breach occurs. With cloud computing, any leakage can be severely detrimental and when working out of office, there is more propensity for off-site infiltration that can present new threat potential, which can be incredibly difficult to track.

BYOD
A bring your own device (BYOD) culture in certain businesses can be considered as treading on dangerous waters. Accessing critical applications and software on personal devices creates an opportunity for data leakage.

Lack of training
An immediate migration working from home without understanding the risks and seriousness of cyber health can be severely detrimental to any organization. When the labor force is dispersed, it can be difficult to set up an educational workshop where everyone can absorb and comprehend the sheer magnitude and effects of a cyber attack, but disregarding the importance of cybersecurity training can almost be considered as suicidal.

New trail of data
Lastly, pre-pandemic meetings were predominantly done face to face, but such was the ambiguity of the severity of the virus at the time, physical interactions were abstained and meetings became conference calls. This is often used for communication purposes, with applications such as zoom, google meets microsoft teams and slack, to name a few, as popular alternatives. However, these applications left a trail of data and the additional entry point merely piqued the interest of cybercriminals, and can only make identifying and resolving data breaches a monumental task.

Improvement to cybersecurity

All in on technology
One such way of utilizing IT advancement minimize the chances of cyber attacks is by bolstering its security, whereby devices and network can be monitored and patterns and endpoints for suspicious activities can be identified and established. AI solutions such as user entity and behavior analytics (UEBA) and security information and event management (SIEM) facilitate real-time detection and provide automated analysis and response, a pivotal development for stifling any cyber attacks.

Two-Factor authentication
Implementing access control solutions such as multi-factor authentication can also be crucial, as its additional layer of security can act as a buffer from any external threats.

Remote friendly
The nature of these functions is especially commended as it not only not compromise the advantages of remote work, but can integrate seamlessly and securely. The IT team can access with ease. It does not matter whether the device or the employee is on-site or off-site.

Training
Nonetheless, while these applications and approaches can protect a company’s cyber health, it is highly unrecommended to solely rely on these additions  alone, as there should be continuous evolution. One such avenue to pursue is by arranging regular training sessions. This can ensure that there is a culture of cybersecurity awareness while all employees can be aligned and on the same page. Should everyone understand their responsibilities, the risks of being a victim of cyber attack dramatically decreases. 

Cyber Insurance
It must be noted that there is no complete solution to prevent a cyberattack but it is better to be proactive. Having cyber liability insurance can mitigate the damage a cyber attack can have as there can be compensation and indemnification for any legal and defense costs. 

The future of remote working

The flexibility afforded from working from home has reaped rewards for a number of reasons, as productivity, satisfaction and equity has risen, and is rightly endorsed with an estimated forecast of 70% of the workforce working remotely at least 5 days a month by 2025. While there may be viewpoints that this could widen the target for cybercriminals, the hybrid dynamic of the workforce outweighs the risks and should be deemed as an opportunity for IT growth rather than neglect.

CHAZ take

Online breaches will never go away but it should not deter any organizations from advocating remote working culture. The correct way to tackle the wave of cyber criminals should be by adopting technologies, heightening security and continued knowledge sharing about cybersecurity responsibility to employees and staffs.

Data will always be king for businesses, and it is no secret as to why organizations crave it incrementally. Through consumer behavior analytics, businesses nowadays have immediate access to a plethora of accurate information. This information often comes in the form of Personal Identifiable Information (PII), which can be crucial data points for businesses in evaluating their goals and targets. Examples of PII are subscriptions, emails, items purchased online, and given that these types of information are now readily available when they want, it only spurs the obsession for more data.

Unfortunately, but unsurprisingly, sensitive data has proliferated online at a frightening pace and has caused reasons for concern. The addictive culture of always wanting more data has demonstrated that actions need to be taken before things get out of hand as there are qualms that businesses are inept and unprepared to manage and secure such information at a desired level, and these fears are only mounting. 

It is hoped that, PDPA, a legislation to tame the violation of data privacy in Thailand, can succeed as it intends to. The purpose of the regulation is to not only reinforce the way businesses are handling personal data, but also allow individuals to protect their rights of access to personal data. Without PDPA, it could be argued that privacy is non-existent, a very dangerous territory. But with PDPA, it essentially ensures there is compliance and accountability on the shoulders of organizations.

As with any regulations, there are punishments for any breaches, and with PDPA, failure to comply could see companies see fines of up to 5 million baht, demonstrating a zero tolerance policy and that anyone can be held accountable. While the law has been in effect since 1st June 2022, given the drastic change, a one year grace period where leniency is granted for any infringements is currently in place to allow for any adjustments to be adapted.

To help you understand and better acclimate to the changes that may affect your company, let's take a deep dive into what PDPA actually is in Thailand. Fundamentally, it functions as a means to govern the collection, use disclosure and care of personal data. 

To distinguish the differences between personal data and sensitive data, you may find the below helpful:

Personal data: data that is related to identifying a person, which includes but not limited to customers, employees and business partners

Sensitive personal data: this includes, racial, ethnic origin, sexual orientation, health data, religious beliefs etc

As a guidance for how to take the necessary actions in order to thrive in this new era, an overview on the best practices to take can be found below.

Data required for business operation

Identify which types of personal data is required for your business operations. Such data should take into account the dealings and services with customers, internal operations, day to day relationship with employees and vendors. Each type of personal data, the personnel involved and risks involved in processing data should be given considered attention. This allows the implementation of relevant measures for collection and protection of personal data in a legal manner.

Consent

Prior to the introduction of PDPA, the purpose of consent was to ensure that the use of personal data would not be opposed. However, the PDPA goes deeper by laying down a marker in terms of processing, collecting or disclosing any personal data. It should also ensure that processing activities do not harm the rights of the data subject, with rights to request access to their personal data, have their data erased, object to the collection, usage or disclosure of data. Any request for attaining sensitive personal data must also be isolated from general personal data.

Creating a privacy notice and privacy policy

The details on how each personal data will be used needs to be transparent. This includes legal bases for data processing, to whom the personal data may be disclosed to, the length the personal data may be stored, contact details and rights of the data subject.

A privacy notice can be a method of communication in terms of getting the aforementioned message across. It can be short and simple and easy to understand with a link to a privacy policy for further explanation detailing the reasons and manner of processing as well as the avenues the data subject can take, should they wish to exercise their rights.

For any activities that are not done in-house and require data processing, an agreement is necessary in order to proceed. This includes day-to-day, back office activities and both offline and cloud storage. Civil administrative liabilities

Data security should also be given utmost importance. After all, PDPA not only governs just how the data is stored, but personnel that have access to the data. Hence, adopting security measures can not only minimize the chances of a cyber attack, but also fines from not adhering to PDPA principles. Moreover, appointing a Data Protection Officer is required, either double hatting with their other role or a dedicated DPO.

Case Examples

In Singapore, fines have resulted from a variety of violation across varying industries, including a hotel’s inability to do due diligence to security systems, exposing personal data of hundreds of millions of guests, a restaurant being a victim of ransomware due to their failure in correctly configuring firewall, a telecommunication company’s failure to install reasonable security arrangements was found to be the culprit of unauthorized disclosure of personal data, the Central Depository sent dividend checks to outdated addresses, putting customers at risk, a shipping company failed in implementing adequate data protection practices 

In Singapore, where PDPA is already in place, and other countries where GDPA, a tougher legislation, fines have been handed right, left and center for various violations from business across multiple industries. Below you can see some examples and how hefty it can be.

• A hotel failed to do due diligence to secure their security systems, exposing personal data of hundreds of millions of guests. Result: £99m fine.
• A restaurant fell victim to ransomware causing encryption of personal data of over 300 current and former employees, leading to an investigation that found that it failed to correctly configure a firewall. Result: S$16,000 fine.
• A telecommunication company failure to install reasonable security arrangements was found to be the culprit of unauthorized disclosure of personal data: Result: $9,000 fine.
• A securities company sent dividend checks to outdated addresses, putting customers' personal data at risk. Result: $32,00 fine.
• A ferry service failed to appoint a data protection officer, develop data protection policies and practices and arrange adequate security measures in order to protect its customers personal data. Result: $54,000 fine.

With that in mind, the value of a cyber insurance policy rises. Taking on a cyber policy will also allow further evaluation on your readiness as insurers will carry out an assessment on your cyber security.

CHAZ Reaction

At CHAZ, we are fully committed to complying with all the regulations. Despite the adjustments, we undoubtedly recognize the benefit the legislation brings to all parties involved and will continue to ensure that any of our client’s information are obtained with consent.

Underinsurance is a growing problem in the insurance industry. Essentially, underinsurance means having insufficient level of insurance. Research suggests that underinsurance is extremely common. If so, you may ask yourself, why is it such a big deal?

Taking out less than required cover can be incredibly detrimental to a business, with potentially brutal consequences. Its harshness becomes apparent during claims and businesses can find themselves severely out of pocket. 

During a claim, especially big ones, a loss adjuster is often on site at the scene to investigate. Should a policy be considered as underinsured, the insurer can apply the average clause. The average clause allows the same reduction in settlement percentage as what the asset is underinsured.

For example, a business’ stocks in the warehouse is insured for 40m THB, but the true cost of the stocks is 50m THB. A small fire then occurs damaging 5m THB of the stocks. Applying the average clause, the insurer is only obliged to pay 80% of the claim. As a result, the insurer is only liable to pay 4m THB and the remaining 1m THB would not be covered.

As the implications can hurt tremendously, it is recommended to implement ways to minimize the risks of underinsurance happening. To get the right cover, constant assessment is required to identify gaps and possible emerging risks. Furthermore, ensuring that the sum insured are aligned with the updated inventory can help avoid underinsurance massively. Consideration should also be given to everything in the premises, including customer goods, with its valuation reflecting peak stock levels rather than average stock levels.

However, Covid-19 stimulated an increase in underinsurance policies, as profits were hugely affected, businesses began to cut their costs with fewer insurance covers. Policies with heavy reliance on financial data forecasts such as turnover, payroll and gross profits, such as business interruption and liability policies, were especially difficult to assess in terms of optimum level of cover, making underinsurance even more prevalent. 

These fluctuations in turnover and gross profit especially hit hard in sectors such as leisure, hospitality and retail. With the heightened risk, assessing these sums may be challenging but there are ways to avoid underinsurance problems.

Moreover, as the economy showed more signs of stress and strain, insurance became a burden rather than a benefit, and despite no ill-towards other than wanting a lower premium, any deceitful actions can add excruciating and unfathomable pain if they ever suffer a loss. Insurers require the disclosure of every piece of information and should any underinsurance policy be deemed deliberate, it can be considered a reckless breach of duty and the policy can be null and void, with no return of premium.

Another aspect of underinsurance that is often overlooked, and should be emphasized after the pandemic, a sizable number of businesses pivoted and revamped their business model in order to survive. This meant that the types of insurance should have also altered, yet it cannot be said that it did. 

Shifting traditional reliance on brick-and-mortar to an increase in dependency in online sales means that their risks are more susceptible to cyber threats than physical threats and the business’ insurance should reflect that.

With the economy recovering, and businesses getting back up on their feet, it is imperative that businesses are taking the necessary steps in ensuring that their coverage is not only enough, but also suitable. Claims can be devastating and the last thing anyone wants is for their business to drown under water again.