Beware of tax-related identity theft and fraud

Anita Byer

Tax-related identity theft occurs when a criminal uses your Social Security number to file a tax return under your name to steal your tax refund. According to the Treasury Inspector General for Tax Administration, the Internal Revenue Service stopped nearly $2 billion in fraudulent refunds last year. In 2023, the IRS identified over a million tax returns as potentially fraudulent, with associated refunds exceeding $6 billion. Since victims of tax-related identity theft and fraud are typically unaware until it is too late, staying alert and knowing the signs of fraud is key.

According to the IRS, you should be alert to possible tax-related identity theft and fraud if:

  • You get a letter from the IRS about a suspicious tax return.
  • You can’t e-file your tax return because of a duplicate Social Security number.
  • You get a tax transcript in the mail that you did not request.
  • You get an IRS notice that an online account has been created in your name or that your existing account has been accessed or disabled when you took no action.
  • You get an IRS notice that you owe additional tax or refund offset, or that you have had collection actions taken against you for a year you did not file a tax return.
  • IRS records indicate you received wages or other income from an employer you didn’t work for.

 

Since many scams begin with someone contacting you under false pretenses, knowing how and when the IRS contacts people can make it easier to identify imposters and impersonators. According to the IRS, initial contact is typically done by mail delivered by the U.S. Postal Service. The IRS may also contact you in other ways, depending on the circumstances. However, the IRS does not:

  • Direct message or take payment on social media.
  • Accept gift cards or prepaid debit cards as payment.
  • Call with automated messages that threaten or direct to websites that aren’t IRS.gov.
  • Threaten to call law enforcement or immigration officials.
  • Take your citizenship status, driver’s license or business license.
  • Mail tax debt resolution advertisements.

 

To protect against taxpayer identity theft, the IRS recommends:

  • Using current security software (firewalls, virus/malware protection, file encryption). Make sure it updates automatically.
  • Treating personal information like cash. Don’t leave it lying around.
  • Using strong, unique passwords and 2-Factor Authentication.
  • Avoiding phishing scams and malware that often come in emails that appear to come from a trusted source and emails with urgent messages.

 

When preventative measures fail, insurance is available to help victims through the often expensive and time-consuming process of recovery. Please contact us if you would like more information about insurance specifically designed to protect against identity theft.

Using indemnification agreements to allocate risk

By Anita Byer

Indemnification agreements are commonly used in business transactions to allocate risk. Risk allocation involves identifying who is responsible for what and for how much. In some cases, a contract requires one party to assume the liability of another party. These risk transfers are commonly found in construction and landlord/tenant agreements, and are becoming common practice in other industries as well.

Assuming responsibility for the acts of another is obviously a big deal. So, it’s important to know the nature and extent of the risk being assumed, and to have a plan to pay in the event of a loss. At a minimum, this requires an understanding of indemnification and Additional Insured status.

Indemnification

An indemnification agreement generally requires one party (the indemnitor) to assume the liability of another party (the indemnitee). In the event of a loss that is specified in the contract, the indemnitor agrees to compensate the indemnitee for their loss. It is important to understand that these provisions commonly require the indemnitor to assume liability that would not otherwise exist.

For example, construction contracts routinely include broad indemnification provisions that transfer liability for not only bodily injury or property damage, but also for pollution, design flaws, delays and other perils not typically understood or contemplated by the indemnitor. Therefore, the indemnitor must understand all the risks being assumed.

Additional Insured Status

Fortunately, insurance coverage is available to cover assumed (or transferred) risks, so indemnitors can use insurance to finance some of their assumed risks. But indemnitees often request or require their indemnitors to not only purchase insurance, but to also name them as an Additional Insured so they can directly access benefits under the indemnitor’s policy.

Though Additional Insured status can be used to finance indemnification obligations, it is important to know that there are limitations. For example,

  • Additional Insured status only protects against losses covered by the insurance policy, regardless of what the indemnification agreement requires.
  • Indemnitees must satisfy the policy’s conditions, such as meeting the definition of an Additional Insured or having a written contract, if required.
  • An indemnitee’s protection may be compromised by shared coverage limits and a lack of control over the terms and conditions of an indemnitor’s policy.
  • Certificates of Insurance cannot be used to create or modify coverage under an insurance policy, regardless of what they say.

Perhaps the most common and potentially costly problem occurs when an indemnitor assumes a risk that is not covered by their insurance. For example, a plumber agrees to indemnify a general contractor for economic damages caused by the plumber’s delay in completing the work. The plumber takes a week longer than expected to finish the job. The general contractor hires additional workers to make up for the lost week and sends the bill for the extra labor to the plumber. Under the indemnification agreement, the plumber must pay for the extra workers. Unfortunately, since there was no bodily injury or property damage to trigger coverage under the plumber’s general liability insurance policy, the plumber must pay the cost himself. Remember that Additional Insured status cannot be used to cover indemnification obligations that are broader than the insurance coverage.

Before signing on the dotted line, ask the following questions:

  1. What are the terms and implications of the indemnification provision?
  2. Is the indemnitor required to obtain additional insured status for another?
  3. Is the language of the additional insured endorsement adequate, covering the indemnitor’s responsibilities or must additional measures be taken to ensure that contractual obligations are properly financed?

When used properly, indemnification agreements and various insurance coverages can be combined to effectively allocate and finance assumed risks. Since the process of allocating and transferring risk in any business transaction is always significant and often complex, businesses should consult an experienced and licensed professional before signing on the dotted line. Please contact us to learn more about allocating and transferring risk effectively and affordably.

New AI-specific insurance exclusions underscore risks associated with generative artificial intelligence

Anita Byer

Generative Artificial Intelligence (GAI) is a type of artificial intelligence that creates new content (text, images, audio, video) in response to basic user prompts. Many organizations are now exploring ways to leverage this transformative technology to advance operational and business objectives. But despite its seemingly limitless upside, the operational use of GAI introduces new, potentially significant liability exposures. The consequences of failing to control organizational risks associated with GAI are underscored by the fact that insurance companies are beginning to include AI-specific coverage exclusions in their commercial general liability policies.

The operational use of GAI can expand existing and generate new liability exposures. According to Verisk, a data and analytics company, these exposures may include the following.

Copyright infringement and invasion of privacy. If the datasets used to train a GAI model contain copyrighted or sensitive information (many do), such information may end up in the new content generated by GAI. This could result in claims of copyright infringement and privacy invasions.

Professional errors & omissions. AI models are increasingly being trained to dispense expert-level professional advice, but their output continues to include mistakes or “hallucinations.” If the professional guidance provided by an AI chatbot is flawed or incorrect, the organization may be exposed to claims of professional malpractice.

Products liability. GAI is increasingly being used in design and product manufacturing applications. With its current limitations, GAI may create or produce defective or poorly designed products capable of causing serious damage or injury to those who use or are otherwise exposed to them.

Bias and discrimination. AI tools have been known to recreate patterns of bias and discrimination that are present in their training datasets. GAI output that includes biased or discriminatory components may result in claims of unlawful discrimination.

Compliance and regulatory risks. GAI is increasingly being used to assist with critical compliance and regulatory functions. But as we know, GAI’s output can be flawed or incorrect. If, for example, a public company submits a false or misleading document created by GAI to the SEC, the lack of due diligence could expose the organization to D&O and professional liability claims.

Importantly, the Insurance Services Office (ISO), an advisory organization that provides standard policy forms and rating information to insurers, recently introduced Generative Artificial Intelligence exclusions for commercial general liability policies. Under these exclusions, claims for bodily injury, property damage, and personal advertising injury that arise out of GAI are not covered by insurance.

These exclusions may present a big problem for many organizations because they apply broadly to all claims arising out of “generative artificial intelligence,” which is defined as a machine-based learning system or model that is trained on data with the ability to create content or responses, including but not limited to text, images, audio, video or code. Many anticipate that general liability policies will increasingly include AI-specific coverage exclusions going forward. Organizations using generative artificial intelligence operationally must ensure that their insurance covers the new and expanded liability exposures created by GAI.

The benefits of travel insurance for holiday travelers

Anita Byer

The holiday travel season is officially underway. In the coming weeks, tens of millions of people will be gathering at airports, train stations, baggage claims, car rental counters, and toll booths across the land hoping that their best laid plans will endure the chaos of holiday travel. Despite springing eternal, hope tends to disappear along with lost luggage and missed flights. But the benefits of a travel insurance policy, like reimbursement for covered financial losses, will remain even after the hope of a smooth trip is gone.

Travel Insurance is designed to limit financial losses caused by various travel-related risks. These losses can range anywhere from a few hundred dollars to tens of thousands of dollars. Many types of travel insurance policies are available, but there are a handful of coverages that most travelers are likely to need.

Trip Cancellation. Reimburses pre-paid, non-refundable travel expenses if your trip is cancelled for a reason that is covered under the policy, which may include:

  • Injury, illness or death involving you, a family member or a travel companion.
  • Inclement weather, natural disaster or act of terrorism that affects your destination.
  • Military duty, strike, or lost documents (passport, visa, etc.).
  • Bankruptcy or financial default of your travel supplier.
  • Unforeseen work-related obligation.

 

Medical Emergencies and Evacuations. Covers emergency medical and dental treatment that is needed while traveling abroad. Treatment for pre-existing conditions is typically not covered. Policies may also cover emergency evacuations, medically equipped transportation, and repatriation of remains.

Lost or Delayed Baggage. Covers personal belongings if your baggage is lost, stolen or damaged. Baggage delay coverage reimburses the cost of buying essential items that are needed while waiting for your baggage.

Trip Delay. Reimburses expenses, like food and lodging, caused by travel delays.

Here are a few tips to remember when purchasing travel insurance.

  • Choose a policy that matches your travel plans and financial situation.
  • Travel insurance has distinct coverages, conditions and exclusions. Read your policy carefully.
  • Don’t assume your homeowners’ or renters’ insurance policy will provide sufficient (or any) travel-related coverage.
  • If you’re traveling with expensive items, like jewelry or sporting equipment, you may need a personal property floater to cover them.
  • Expanded coverage options may also be available for an additional charge. Cancel for Any Reason (CFAR) coverage, for example, is an optional upgrade that allows policyholders to cancel a trip for virtually any reason and receive a partial refund of their non-refundable expenses.

 

Please contact us to learn more about your travel insurance options.

Florida approves 6.9% workers’ compensation rate decrease for 2026

Anita Byer

 

Florida employers will be paying less for workers’ compensation insurance next year. The Florida Office of Insurance Regulation approved a statewide overall average rate decrease of 6.9 percent for workers’ compensation insurance premiums. It will be the ninth consecutive year with a rate decrease. According to Florida Insurance Commissioner Michael Yaworsky, “this rate decrease directly translates to reduced operating costs for businesses, encouraging investment and growth throughout Florida’s economy.” The rate decrease will apply to new and renewal policies beginning January 1, 2026.

The 6.9 percent rate reduction was proposed by the National Council on Compensation Insurance (NCCI), a rating organization authorized to make rate filings on behalf of workers’ compensation insurance companies in Florida. The reduction was based on NCCI’s analysis of data from the two most recently available full policy years (i.e., 2022 – 2023) as of December 31, 2024. According to NCCI, the data supports the following changes to the components of the overall average rate level decrease.

  • Change in Experience, Development and Trend: 6.9% decrease.
  • Change in Benefits: 0.4% decrease.
  • Change in Production and General Expenses: 0.3% increase. Production expenses include commissions and costs associated with processing policies. General expenses primarily consist of salaries and overhead costs.
  • Change in the Profit and Contingency Provision: no change (0.0 percent). Florida workers’ compensation rates must be determined so that insurers can be expected to earn a reasonable rate of return. This filing proposes no change to the currently approved P&C provision.
  • Change in Loss-Based Expenses: 0.1% increase. These are expenses associated with the handling of workers’ compensation claims.

 

Overall Average Rate Level Change: 6.9 percent decrease.

NCCI also proposed an overall average rate level decrease of 14.3 percent for Federal classifications. These “F-classifications” refer to operations conducted on or about navigable waters for which benefit levels and related costs are determined by the United States Longshore and Harbor Workers’ Compensation Act, rather than individual state laws. Typical F-classifications include those covering ship builders and stevedores.

Please contact us to learn more about the upcoming workers’ compensation rate reduction.

Global cat losses top $100B for 6th consecutive year despite ‘uncharacteristic’ lack of major events in Q3

Anita Byer

A recent report on global natural catastrophe losses revealed that despite an uncharacteristic lack of major events during the third quarter of 2025, insured losses still managed to top $100 billion globally for the sixth consecutive calendar year and the eighth year since 2017. Gallagher Re’s 2025 Natural Catastrophe and Climate Report (Q3) found that governments and insurers are currently well within their annual catastrophe budgets due to the “abnormally low frequency of high-cost events” to date. Gallagher Re, however, cautions that the trend of greater losses over time is likely to persist as volatility and the likelihood of greater loss potential continue to increase.

Despite losses already topping $100 billion, the data set forth in the report reveals below-average economic and insured losses during the first nine months of 2025. According to Gallagher Re’s preliminary loss data,

  • Global economic loss estimates from all natural perils during the first three quarters of 2025 is $214 billion. In addition to being the lowest total since 2015, this loss estimate is substantially less than the 2015-2024 Q1-Q3 average of $338 billion.
  • Global insured loss estimates during the first three quarters of 2025 total $105 billion, which is the lowest total since 2019. It is also substantially less than the 2015-2024 Q1-Q3 average of $114 billion.
  • The unusual lack of major events from July through September made it one of the least expensive third quarters for insurance companies since 2000.
  • Insured losses during the third quarter alone are estimated to be less than $15 billion, which is the lowest total since 2016.
  • Economic losses during the third quarter alone are estimated to be less than $50 billion, which is the lowest Q3 loss estimate since 2006.

 

The report notes that the financial health of property insurers will strengthen further if these unusually low losses persist for the remainder of 2025. Gallagher Re estimates that it would require unexpected catastrophic events resulting in insured losses of at least $115 billion to meaningfully impact the insurance industry, but the year is not over yet.

While the fourth quarter is typically the least expensive quarter for economic and insured losses, it seems nobody to Hurricane Mellissa, which tied long-standing Atlantic Basin records for lowest recorded pressure (892 millibars) and peak sustained winds (185 mph) when it made landfall in late October. According to Verisk, a data analytics firm, insured property losses for Hurricane Melissa are expected to range between $2.2 and $4.2 billion. Fortunately, these loss estimates are well below Gallagher Re’s estimated loss cushion retained by insurers due to the uncharacteristic lack of major events during the third quarter of 2025.

Contact our team of experienced and responsive insurance and risk management professionals to find affordable options to protect your home and your business against natural disasters and other catastrophes.

Cyber survey reveals gains and gaps in corporate cybersecurity measures

Anita Byer

Before closing the book on this year’s Cybersecurity Awareness Month, it is important for businesses to recognize the expanding scope and severity of cyberattacks and the consequences for failing to implement and maintain adequate cybersecurity measures. According to Aon’s 2025 Global Risk Management Survey, most organizations identified cyberattacks and data breaches as the top current risk and top future risk they face. The fact that the FBI reported over $2.7 billion in losses in 2024 from business email compromise attacks alone seems to justify their concerns.

Despite the near universal acknowledgment of cyber threats, Moody’s 2025 Cyber Survey (10/1/2025) reveals less than universal adoption of adequate cybersecurity measures, particularly when it comes to the use of artificial intelligence.

AI Governance Policies. The survey found that large numbers of organizations lack rules governing the safe use of AI tools in the workplace. While a majority of respondents have policies restricting the use of internal and proprietary data with public AI tools, nearly a quarter of respondents have no such policies in place. According to Moody’s, insufficient AI governance can increase the likelihood of data breaches, regulatory penalties, and loss of competitive advantage.

Growing risk from third-party (vendor) software. The use of third-party software, systems, and applications for operational purposes often creates vulnerabilities that can be leveraged to gain unauthorized access. According to Moody’s, third-party software increases the attack surface by providing more entry points for hackers to exploit. Bad actors tend to favor supply chain attacks because compromising a third-party vendor allows them to also attack the vendor’s customers, clients, and end users. However, despite the growing risks associated with third-party software, only 49 percent of respondents annually reviewed their vendors’ cybersecurity risk practices. Although twenty-two percent perform such reviews every few years, a startling fourteen percent of respondents have never reviewed their vendors’ cybersecurity practices.

Adoption of multi-factor authentication (MFA) is lagging. Despite the proven effectiveness of multi-factor authentication, nearly 25 percent of respondents fail to implement and enforce a mandatory MFA policy for all applications.

Ransomware defenses are patchy. Moody’s notes that ransomware attacks are increasing in frequency, severity, and sophistication. Bad actors have evolved from basic data encryption to include double and triple extortion ransomware attacks. In addition to encrypting sensitive data, double-extortion attacks also involve the exfiltration of data, which can then be released or sold by bad actors if the target is reluctant to pay. In triple extortion attacks, bad actors threaten to attack the target’s customers, partners, or employees, or launch Distributed Denial of Service (DDoS) attack to encourage payment.

Although daily data backups can provide an effective safeguard against ransomware attacks, the survey found that nearly a quarter of the respondents do not scan their backup data for malware or other vulnerabilities. The failure to do so may leave businesses at the mercy of ransomware attackers, which is far from ideal.

Cyber managers increasingly report to CEOs and CFOs. The survey revealed that more senior cyber managers are reporting to chief executives than before. In 2023, only 15 percent of respondents reported to the CEO or CFO. In 2025, the percentage increased to 28 percent. Many, including Moody’s, view this as a positive development.

Small and medium-sized businesses should have Cyber Perils Insurance Coverage to protect against various cyber threats and liability exposures, including the cost of complying with data breach notice laws. Please contact us if you would like more information about insurance specifically designed to protect against cyber threats and data security breaches.

Every business should implement a mandatory multi-factor authentication policy

Anita Byer

Businesses wanting to make the most of Cybersecurity Awareness Month (October) should consider implementing a mandatory multi-factor authentication (MFA) policy for all employees. MFA ranks among the most effective measures that organizations can implement to protect sensitive systems, accounts, and data. In fact, research conducted by Microsoft found that MFA can block more than 99 percent of account compromise attacks.

Multi-factor authentication is a security process that requires more than one method of authentication from independent sources to verify a user’s identity. When MFA is enabled, a person cannot access a system or account without first providing at least two identity authentication factors (credentials). These credentials can be:

  • Something You Know (password, PIN, security question)
  • Something You Have (security token/app, verification via text, call, or email)
  • Something You Are (fingerprint, facial recognition, voice recognition)

 

The Cybersecurity & Infrastructure Security Agency (CISA) recommends taking the following steps to secure sensitive business data using multi-factor authentication.

Require MFA wherever possible. Businesses should coordinate with IT to activate MFA across all systems, including email, file and data storage, and remote access. Administrative accounts and sensitive employee accounts should be made a priority.

Use the strongest MFA option available. CISA cautions that not all methods of MFA are created equally. Although any method of MFA is better than nothing, some methods provide more protection than others. CISA recommends that businesses implement a policy requiring one or a combination of the following MFA verification methods, which are listed from most to least secure.

  • Security Key: A security key is a small hardware device, like a thumb drive or key fob, that provides an additional layer of security when logging into accounts. According to CISA, physical security keys are easy to use and provide the best protection against phishing attacks.
  • Authenticator App: Authenticator apps generate random, time-sensitive one-time codes or push notifications to help users verify their identity when logging into networks or accounts.
  • Biometrics: Biometric MFA is a security method that uses unique human characteristics, like fingerprints or facial features, to verify a user’s identity before granting access to a system or data. CISA notes that biometric security features are best when used with another method of MFA.
  • Text or Email Code: Despite its familiarity, systems that send a one-time code via text or email may be the least secure method of MFA (but still better than nothing). According to CISA, this method should only be used if stronger MFA options are not available.

 

Training. Employees must be trained to understand the organization’s commitment to security and their individual obligation to implement and use MFA when accessing systems and data.

MFA makes it difficult for hackers to access sensitive business accounts or data even with the password. If you have the option to enable MFA, do it now. Systems and platforms without MFA capabilities are way behind the curve and should probably be avoided. Businesses should also have Cyber Perils Insurance Coverage to protect against various cyber threats and liability exposures. Please contact us if you would like more information about insurance specifically designed to protect against cyber threats and data security breaches.

Making the most out of Cybersecurity Awareness Month

Anita Byer

October is Cybersecurity Awareness Month. The purpose of this global initiative, which began in 2003, is to raise awareness about online security and empower individuals and businesses to protect themselves against cyber threats. This year’s theme—Building a Cyber Strong America—highlights the need to strengthen the country’s infrastructure against cyber threats, ensuring resilience and security. Unfortunately, after more than 20 years, the need for cybersecurity awareness is arguably greater than ever before. According to the Identity Theft Resource Center, there were 1,732 data breaches and more than 165 million victim notices during the first half of 2025.

The Cybersecurity & Infrastructure Security Agency (CISA), which is the federal lead for Cybersecurity Awareness Month, notes that businesses and organizations without basic cybersecurity precautions make easy targets for bad actors. According to Verizon’s 2025 Data Breach Investigations Report, the human element remains the common link in most (60 percent) data breaches, so enabling employees to identify and thwart cyberattacks is crucial. To reduce the chances of being victimized by a disruptive cyberattack, CISA recommends the following best practices.

  • Teach Employees to Avoid Phishing Scams. Phishing tricks employees into opening malicious attachments or sharing sensitive information. Staff should be trained to recognize and report suspicious activity.
  • Require Strong Passwords. Strong passwords are a simple and powerful way to block bad actors from accessing accounts through guessing or automated attacks. Strong passwords should be mandatory for all users.
  • Require Multifactor Authentication. MFA adds an extra layer of security beyond passwords. Organizations should require all users to activate MFA for all accounts.
  • Update Business Software. Outdated software can contain exploitable flaws. Security updates and patches should be installed immediately (or as soon as possible) after being released.
  • Monitor System Activity. Logging system activity can reveal that bad actors may be trying to access your data.
  • Back Up Data. Put a backup plan in place that aligns with your organization’s recovery point objective to protect your systems and keep things running smoothly.
  • Encrypt Data. Encrypting data and devices protects against attacks. Encrypted data remains locked and unreadable even if bad actors gain access to your files.

 

Implementing, maintaining and updating security policies and procedures is important, but it’s not always enough. Small and medium-sized businesses should have Cyber Perils Insurance Coverage to protect against various cyber threats and liability exposures, including the cost of complying with data breach notice laws. Please contact us if you would like more information about insurance specifically designed to protect against cyber threats and data security breaches.

 

NCCI recommends 6.9% Florida workers’ compensation rate decrease in 2026

Anita Byer

Florida employers may be paying less for workers’ compensation insurance next year. The National Council on Compensation Insurance (NCCI) is recommending an average rate level decrease of 6.9 percent for the voluntary market effective January 1, 2026. NCCI, which is authorized to recommend rates on behalf of workers’ compensation insurers in Florida, submitted its proposed rate reduction to the Florida Office of Insurance Regulation for review. If approved, it will be the ninth consecutive year workers’ compensation rates have gone down in Florida.

The proposed 6.9 percent rate reduction is based on experience data for policy years 2022 and 2023 as of year-end 2024. It also reflects the estimated impact of the Health Care Provider Fee Schedule changes effective January 1, 2026. The rate filing submitted by NCCI notes that the number of claims (frequency) and the cost of claims (severity) continue to be key metrics for the health of the workers’ compensation system. Indeed, improved loss experience resulting from declines in the frequency of lost-time claims during these policy years is identified as the primary driver of NCCI’s proposed rate decrease.

The rate filing notes that the workers’ compensation system in Florida and nationally generally remains healthy. According to NCCI:

  • The 2024 combined ratio for workers compensation is 86 percent. The combined ratio measures an insurance company’s profitability and financial health. A combined ratio below 100 percent (the break-even point) signifies underwriting profitability.
  • The frequency of lost-time claims continues its long-term decline across all NCCI states.
  • Claim frequency declined at a faster pace in 2024 than the long-term average rate of decline, which is seen as an indication of safer workplaces and fewer injured workers.
  • The severity of medical and wage replacement claims increased in 2024, driven in part by inflationary pressure.
  • Increased medical costs were primarily driven by the increased utilization of medical services by injured workers. NCCI notes that physician services account for more than 40% of all workers compensation medical services, even though the cost of these services only increased by 1.5% over the past three years.
  • The increase in indemnity benefits is primarily driven by an increase in wages.

 

NCCI also recommends extending published rating values from two to three decimal places. According to NCCI, this decimal extension allows for more precise adjustments that will be particularly beneficial for classification codes with lower rates by minimizing rounding limitations that are more likely to impact these class codes. The methodology for determining rates, however, remains unchanged.

Remember, NCCI is recommending a 6.9 percent rate decrease for 2026. Next year’s workers’ compensation premium rates will not be known until the Office of Insurance Regulation issues a final order. State regulators must still analyze NCCI’s data and may request an adjustment to the current recommendation before holding a public hearing.