Cybersecurity, workers’ comp and the defense supply chain

Jim McConnaughhay, Co-founder and General Chair of WCI

I recently read an article in the Orlando Florida Business Journal describing a letter that a local employer received from a defense prime contractor. The letter advised that “if the (local company) wasn’t working to become compliant with new federal cybersecurity regulations, it was in jeopardy of losing out on future work on an (existing) contract worth $750,000” (a major contract for this small employer).

For several years, the Workers’ Compensation Institute (WCI) had been reviewing the new cybersecurity standards, referred to as CMMC, to determine whether the standards applied to workers’ compensation. There are three significant areas of concern:

  • Would previously required compliance with cybersecurity standards be expanded to relate to data and information retained as a matter of law for workers’ comp purposes?
  • Would the previously compliant companies be considered in the “defense supply chain” due to the expanded definition of that term?
  • Even if the new cybersecurity standards would not apply to companies concerned with workers’ comp issues (which is highly doubtful), could the standards be used as a “best practice” method of protecting confidential information?

The new cybersecurity standards require adherence by a company within the defense supply chain, which is defined to include not only prime contractors but also subcontractors and suppliers of services and products to defense contractors and subcontractors. Also, the newly defined protected data would include information relevant to workers’ compensation issues.

Application of CMMC standards

WCI felt it was essential to educate the workers’ comp industry on the newly developed standards through breakout sessions at the 2020 Workers’ Compensation Educational Conference in Orlando, which has been postponed until 2021 due to the COVID-19 pandemic. The sessions now will be presented in a virtual format on Sept. 16-17, 2020.

In creating the cybersecurity sessions, the initial question was how many companies or employers, presently designated as being in the defense industry, would unquestionably be subject to the new CMMC standards. For example, in Florida, the military and defense industry has a $95 billion impact on the state’s economy, and the defense sector provides 914,787 jobs employing Floridians in every county in the state. That constitutes approximately 9% of the state’s total economy, and it makes Florida the fourth-largest recipient of defense contracts in the U.S. with more than $17.5 billion in awarded grants annually.

If companies that previously have been designated as defense contractors are not aware of the new cybersecurity standards, it’s probably reasonable to assume that companies, such as subcontractors and suppliers of services and products to defense contractors and subcontractors, that don’t know they may be a part of the defense industry are not aware of these requirements. In addition, protected data and information applies not only to classified information but also to “controlled unclassified information” (CUI), which no doubt is being retained for workers’ comp purposes as a matter of law.

Defense Cybersecurity Training Program

Recognizing the enormity of creating new cybersecurity standards, increasing the number of companies that must comply, and redefining protected data/information is consistent with recent actions taken by the U.S. Department of Defense (DoD). In July 2020, the Florida Department of Economic Opportunity (DEO) was awarded a $1 million grant to create the Florida Defense Cybersecurity Training Program. Funding was intended to “be used to administer programs and training that assists small and medium-sized defense contractors (as redefined by the recent standards) in becoming aware of and compliant with the DoD’s cybersecurity standards.” The initial action included educating companies with particular reference to the standards’ application and new processes.

What the Orlando employer was concerned about is exactly what the new grant was intended to provide. Even though the grant is primarily intended for small and medium-sized companies, the education provided will have tremendous applicability to large companies as well because they have to be sure that their subcontractors and providers of products and services are compliant. Otherwise, they may not be able to bid on defense contracts, or they may unknowingly violate the new standards.

WCI’s 2020 Cybersecurity Forum will provide detailed information on these new standards and will be presented by the DoD representatives responsible for overseeing and developing new processes and standards. Presentations will also be made by committee members who were responsible for the preparation of the new regulations.

WCI, in partnership with the Foundation of Associated Industries of Florida, will deal with cybersecurity in general and its importance in the world today. In the keynote, Sen. Marco Rubio (R-Fla.) will speak on the importance of cybersecurity from an international standpoint. Representatives from selected industries will discuss their required sensitivity to cybersecurity concerns. A simulated cybersecurity breach will be demonstrated. Of additional significance are resilience planning and the U.S. Navy’s prediction of the consequences of a crippling national cyberattack on the economy of Florida. Finally, from an individual’s standpoint and that of an individual company, what are the legal and financial consequences of a cyber breach. Joining the discussion on this session will be Florida’s insurance commissioner, David Altmaier, discussing the consequences of cyber breaches and possible issues for collecting insurance policy coverages either on a first-party (business interruption coverages) or third-party claim (breaches caused by the insured’s negligence causing damages to third parties).

Compliance with required cybersecurity standards in the past could be based on the prime contractor’s good faith assurance that all cybersecurity standards had been met. This is no longer the case. Under the new standards, compliance must be certified by an actual third-party audit.

Cybersecurity unquestionably affects workers’ compensation and should be of significant interest to all. The two-day presentation presents the best information available on cybersecurity and the consequences of a breach from an international, national and individual company basis. The complete program can be reviewed at www.wci360.com/cyber/.

Reprinted with permission from PropertyCasualty360, Sept. 1, 2020. © 2020 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.