American Association of State Compensation insurance Fund
Canada and USAFind a Member
North America Map Yukon British Columbia Alberta Saskatchewan Manitoba Ontario New Brunswick Prince Edward Island Nova Scotia Maine Washington Oregon Idaho Montana Wyoming North Dakota Minnesota New York Rhode Island California Utah Colorado Missouri Kentucky Ohio Pennsylvania Maryland Arizona New Mexico Oklahoma Texas Louisiana South Carolina Hawaii

Magnifying GlassSelect a state or province from the map above to get primary contact and web information for any
member fund.

CopperPoint Mutual Insurance Company
Phone: (602) 631-2000
Address: 3030 North Third Street
Phoenix, AZ   85012

State Compensation Insurance Fund
Address: 333 Bush Street
Suite 800
San Francisco, CA   94104

Pinnacol Assurance
Phone: (303) 361-4000
Address: 7501 East Lowry Boulevard
Suite 800
Denver, CO   80230-7006

Hawaii Employers' Mutual Insurance Co. Inc.
Phone: (808) 524-3642
Address: 1100 Alakea Street
Suite 1400
Honolulu, HI   96813

Idaho State Insurance Fund
Phone: (208) 332-2100
Address: 1215 West State Street
P.O. Box 83720
Boise, ID   83720-0044

Kentucky Employers Mutual Insurance
Phone: (859) 425-7800
Address: 250 West Main Street Suite 900
P.O. Box 83720
Lexington, KY   40507-1724

Louisiana Workers' Compensation Corporation
Phone: (225) 924-7788
Address: 2237 South Acadian Thruway
P.O. Box 83720
Baton Rouge, LA   70808

Maine Employers Mutual Insurance Company (MEMIC)
Phone: (207) 791-3300
Address: 261 Commercial Street
P.O. Box 11409
Portland, ME   04104

Chesapeake Employers’ Insurance Company
Phone: (410) 494-2000
Address: 8722 Loch Raven Boulevard
P.O. Box 11409
Towson, MD   21286-2235

SFM Mutual Insurance Company
Phone: (952) 838-4200
Address: 3500 American Boulevard West Suite 700
P.O. Box 11409
Bloomington, MN   55431-4434

Missouri Employers Mutual Insurance
Phone: (800) 442-0590
Address: 101 N Keene St
P.O. Box 11409
Columbia, MO   65201

Montana State Fund
Phone: (406) 495-5015
Address: 855 Front Street
P.O. Box 4759
Helena, MT   59604-4759

New Mexico Mutual Group
Phone: (505) 345-7260
Address: 3900 Singer Boulevard NE
P.O. Box 4759
Albuquerque, NM   87109

New York State Insurance Fund
Phone: (212) 312-7001
Address: 199 Church Street
P.O. Box 4759
New York, NY   10007

Workforce Safety and Insurance
Phone: (701) 328-3800
Address: 1600 East Century Avenue Suite 1
P.O. Box 4759
Bismarck, ND   58506-5585

Ohio Bureau of Workers Compensation
Phone: (800) 644-6292
Address: 30 West Spring Street
P.O. Box 4759
Columbus, OH   43215-2256

CompSource Mutual Insurance Company
Phone: (405) 232-7663
Address: 1901 North Walnut Ave.
P.O. Box 53505
Oklahoma City, OK   73152-3505

State Accident Insurance Fund (SAIF)
Phone: (503) 373-8000
Address: 400 High Street SE
P.O. Box 53505
Salem, OR   97312-1000

Pennsylvania State Workers Insurance Fund
Phone: (570) 963-4635
Address: 100 Lackawanna Avenue
P.O. Box 5100
Scranton, PA   18505-5100

Beacon Mutual Insurance Company
Phone: (401) 825-2667
Address: One Beacon Centre
P.O. Box 5100
Warwick, RI   02886-1378

South Carolina State Accident Fund
Phone: (803) 896-5800
Address: P.O. Box 102100
P.O. Box 5100
Columbia, SC   29221-5000

Texas Mutual Insurance Company
Phone: (800) 859-5995
Address: 6210 East Highway 290
P.O. Box 5100
Austin, TX   78723-1098

Workers Compensation Fund
Phone: (800) 446-2667
Address: 100 West Towne Ridge Parkway
P.O. Box 2227
Sandy, UT   84070

Washington Department of Labor and Industries
Phone: (360) 902-5800
Address: P.O. Box 44001
P.O. Box 2227
Olympia, WA   98504-4001

Wyoming Division of Workers Safety & Compensation
Phone: (307) 777-7159
Address: Cheyenne Business Center
1510 East Pershing Boulevard
Cheyenne, WY   82002

Workers Compensation Board - Alberta
Phone: (780) 498-3999
Address: 9925-107 Street
P.O. Box 2415
Edmonton, AB   T5J 2S5

Workers Compensation Board of British Columbia (WORKSAFEBC)
Phone: (604) 273-2266
Address: P.O. Box 5350 Station Terminal
P.O. Box 2415
Vancouver, BC   V6B 5L5

Manitoba Workers Compensation Board
Phone: (204) 954-4321
Address: 333 Broadway
P.O. Box 2415
Winnipeg, MB   R3C 4W3

Phone: (506) 632-2200
Address: 1 Portland Street
P.O. Box 160
Saint John, NB   E2L 3X9

Workers Compensation Board of Nova Scotia
Phone: (902) 491-8999
Address: 5668 South Street
P.O. Box 1150
Halifax, NS   B3J 2Y2

Prince Edward Island Workers Compensation Board
Phone: (902) 368-5680
Address: 14 Weymouth Street
P.O. Box 1150
Charlottetown, PE   C1A 7L7

Saskatchewan Workers Compensation Board
Phone: (306) 787-4370
Address: 200 - 1881 Scarth Street
P.O. Box 1150
Regina, SK   S4P 4L1

Puerto Rico State Insurance Fund Corporation
Phone: (787) 793-5959
Address: G.P.O. Box 365028
P.O. Box 1150
San Juan, PR   00936-5028
Tools for Members

Member Home

Member Connection: A member-only forum where you can post questions and ideas.

Stat Book: A highly functional analytical tool that provides valuable comparative benchmarking results from among our members who participate.

Online Directory: Get connected with your counterparts through this comprehensive list of AASCIF members with updated phone number, email and website information.

Associate Member Lookup

AASCIF Newsletter

Cybersecurity: What Is It and Why Should We Care?

By George P. Lupanow, PMP, WCF Mutual Insurance Company

Disclaimer: Even though as a project manager I have been exposed to issues regarding this topic, I am by no means an expert on cybersecurity. This article is based on extensive research and my access to the crack cybersecurity team at WCF Mutual Insurance.

The Oxford Dictionary defines cyber as “relating to or characteristic of the culture of computers, information technology and virtual reality” and security as “the state of being free from danger or threat.”

Cybersecurity encompasses the technologies and standard procedures designed to protect networks, computers, programs, and data from attack, damage, or malicious access. However, cybersecurity is no longer just a technology challenge. In fact, Warren Buffet recently said that he considers cybersecurity “the number one problem with mankind.” (1) It’s estimated that in the next three years, cybercrime damages will reach $6 trillion annually, making cyberattacks more profitable than the trade in all illegal drugs, combined! (2) It’s a challenge for everybody who interacts with technology daily—and that means everybody in our organizations!

As insurance companies, our cybersecurity is of big concern to our customers. According to a survey conducted by Gemalto, (3) 48% of consumers do not feel that companies are taking the protection and security of customer data seriously enough. Our customers trust us to securely handle and store their personal and confidential information—particularly medical claim information. It is so important to our customers that the same survey found that 54% of customers would stop doing business with a company following a data breach of financial information, and 45% are unlikely to do business with a company that experienced a data breach in general.

Just like our customers, our employees trust us to store their personal information, including addresses, bank account(s), social security numbers, and benefit use. Employees, however, are also a constant source for cyberattacks. Employees power up devices daily and connect to the internet to access online services so that they can get the latest news, shop for the best deals, connect with friends, stream music, and access their financial information. As they use these online services, they can quickly become a target of cybercriminals and hackers.

In fact, the most prevalent kinds of attacks—ransomware and IoT attacks—are targeting the people in our organizations.

Ransomware is an attack on an organization’s hardware, software, or data where the goal is to lock the attacked area and hold it “hostage” until the criminal’s demand payment is made to unlock it. Ransonware is typically delivered via phishing emails that target individual employees. More than 4,000 ransomware attacks occurred each day in 2016 alone—a 300% increase over 2015. (4) Cybersecurity Ventures reports that ransomware damage costs exceeded $5 billion in 2017, up more than 15 times from 2015 (5)—yet studies show that only 47% of victims (6) who pay the ransom ever recover any files!

Internet of Things (IoT) is a network of physical devices embedded with electronics, software, and sensors that enable objects to connect and exchange data, posing a huge security weakness because often they are activated with their default passwords that are then unchanged and easily compromised. Once criminals break into these devices, they can use them to create botnets, which can unleash large-scale attacks to steal data, identify further vulnerabilities, or mount brute force attacks.

More? It is impossible to predict what new variants of attacks will emerge in the future, but it is safe to say that the cybercriminals are creative and determined.

Scared yet?

As an insurance company, an employer, an employee, or just a person in the world, we must continually protect against these increasing threats. As businesses, our cybersecurity strategy must be well coordinated, prioritized, responsive, and extend across all facets of our organizations.

Several steps can help mitigate this risk. They are:

Integrate cybersecurity as part of our corporate strategy and reinforce a culture of cybersecurity. Too often we approach cybersecurity with the mindset of a so-called “defenders dilemma”—worrying about the damage a data breach can cause—but not considering the benefit of avoiding an attack in the first place. A robust cybersecurity strategy must identify and prioritize the “crown jewels” of a company—the assets most important to a company’s competitive position.

Realize that employees of our organizations are our biggest threat. We tend to think of cybercriminals as nefarious individuals in faraway places, but in fact, IBM found in the 2016 Cyber Security Intelligence (7) index that 60% of all attacks were carried out by insiders—and of those, three-quarters involved malicious intent and one-quarter involved unknowing accomplices. This can make us wonder about the value of training. Certainly, we must control access to company data, and in fact, that can improve the chances of catching this behavior before it causes significant damage. But let’s not neglect training. In fact, the Ponemon Institute found that even the least effective anti-phishing program produced a seven-fold return on investment. The study also showed that the average retention rate of practical training was 75%. Due to the frequency and costs of phishing attacks, this translates into a yearly cost savings of $1.8 million, or $189.40 per employee. (8) Training can clearly work…when it’s done correctly. Many organizations are opting for training through short video sessions of less than five minutes that recreate real-life situations, and they find that these sessions are more effective than all day sessions in the corporate training facility. The goal is to build a “human firewall,” in which employees know how to respond to specific threats (internal and external) and feel that they are contributing to the overall organizational health. The adage of “See something – Say something” applies here.

Practice constant detection—and then more detection. Research shows that most detection efforts of businesses are way too slow; in fact, the average time it takes for large businesses to detect a security breach is an astounding 206 days—and as many as 73% of incidents go undetected. (9) The first line of defense is our IT staff, ensuring that they have the right tools, constant training to improve skills, enough resources, and, most importantly, the charter to have complete visibility across all technical assets of the organization. Additionally, third-party auditing has proven to be a huge benefit. This is the process of having an independent external organization assess, evaluate, and report on the effectiveness of our controls. Detection is very important: it’s not a matter of whether our systems will be breached, but rather when and how quickly we can react.

Develop data protection plans—collect only what you need and share only what you must. Data is only useful when you process and analyze it. Collecting data that you hope to use one day (called hoarding) is expensive and dangerous. Extend this goal to your third-party vendors; if you limit access to your data to what they absolutely need, they can’t compromise your data without your knowledge. Remember, if your organization owns the data, then you are legally responsible for it, not the vendor. New laws regarding security of data and company responsibilities are being written and enacted all over the world. In the EU, the GDPR, enacted in May 2018, recognizes that an individual’s personal data is their own and requires companies to ensure the protection of that data throughout their lifecycle and processing. (10) And, in February 2018, the U.S. Security and Exchange Commission released new guidance that demanded more extensive cybersecurity disclosures and called upon boards of directors specifically to incorporate cybersecurity strategies into their broader risk management processes. (11)

Plan for the worst—robust and continuously tested contingency plans may keep you from being the next statistic. Create a formal incident response team that includes IT and business partners. This alone has proven to reduce the cost of a security breach by at least $19 per record. (12) This team should create internal crisis management playbooks that recognize that all threats and attacks should not be handled in the same way. Effective response plans include every scenario, with detailed charts identifying roles and responsibilities of all stakeholders. These plans need to include key departments—legal, communications, marketing, and human resources—in addition to the IT and executive level. In the event of an attack, strive for transparency and simplicity, internally as well as externally.


It is becoming increasingly clear that we cannot think we can be perfectly protected against every possible attack. As criminals find more targets to attack and more ways to leverage malware and other malicious tools, defenses will have to be even more coordinated across our organizations. Ongoing training, well-resourced detection efforts, and detailed response plans can help us prepare for an eventual breach.

A company culture that truly embraces cybersecurity, senior leadership that views it as a part of the broader risk management process, and a serious look at the corporate structure to make sure employees are encouraged to investigate and address issues are all ways we can improve our cybersecurity. The most successful cybersecurity approaches are not necessarily the most expensive, but they do require persistence, attention, and prioritization. More than knowing the legal aspects, we need to understand our ethical obligation to protect the private information of our fellow humans.



1. Oyedele, Akin. BUFFETT: This is 'the number one problem with mankind'. Business Insider. [Online] May 6, 2017.

2. Morgan, Steve. To 5 Cybersecurity Faacts, Figures and Statistics for 2018. CSO. [Online] January 23, 2018.

3. SafeNet. Global Survey revelas impact of data breaches on customer loyalty. Gemalto. [Online]

4. How to Protect Your Networks from Ransomware, pg 2. [Online]

5. Morgan, Steve. Ransomware Damage Report. Cybersecurity Ventures. [Online] May 2017.

6. O'Neill, Patrick Howell. Ransomware is Now a $2 Billion-Per-Year Criminal Industry. CyberScoop. [Online] November 21, 2017.

7. [Online]

8. The Cost of Phishing and Value of Employee Training p.3. Institute, Ponemon. August, 2015.

9. McCollom, Tim. The Cybersecurity Imperative. Internal Auditor. July, 2015.

10. Bringing It All Together: NYS DFS, SWIFT, SEC, and GDPR. RSA Conference. [Online]

11. US Securities and Exchange Commission. [Online] February 21, 2018.

12. 2017 Cost of Data Breach Study p6. Ponemon Institute.




Home | Contact | Site Map