E&O Exposures and Risk Management: The Impact on Agents
Ransomware is driving 2020’s loss ratios, and it’s causing cyber insurance prices to go up. Analysts and brokers, including Moody’s Analytics, have reported that the insurance industry loss ratio for 2020 is at an excess of 50% or higher—a significant shift for the cyber insurance marketplace where competitive prices between 2015 and 2018 get price increases down despite an increase in cyber loss ratios. We now know that the direct premiums written for the cyber line have increased since 2015 and have become a must-have for most organizations in lieu of a nice-to-have coverage.
Premium volume has gone up from $488 million to over $1.3 billion in 2019. Estimates show that 2020 will close out about $1.6 billion worth of premium volume. That is quite significant when you consider that the demand for cyber coverage will continue to increase, given the changing nature of the loss exposure risk and the persuasiveness of the technology that is being developed. The industry is seeing a surge of new tech as well as the potential of its loss exposure risk, which impacts supply chains.
In turn, more carriers are examining their relationships with insureds. Do they cover their upstream partners as well? Do they have one of their co-partners or entities? In other words, they are starting to look at the aggregation of risk and the impact it will have on pricing and loss exposures.
2020 Cost of Data Breach Impact
Coverage and price decisions are becoming a more significant challenge. Be prepared to handle it by understanding how to avoid getting into an agent/broker E&O exposure. Buyers without robust insurance continue to find themselves on the short end and not having the coverage they expected. They are finding themselves in situations where they may have misrepresented the cyber security systems they thought they had in place.
Compounding the challenge are insurance companies that avoid coverage and do not pay it based upon insured misrepresentations and coverage exclusions. Currently, 51% of consulting and legal services for data breach claims are paid by cyber insurance carriers. The low rate of victim restitution claims paid by cyber insurance carriers in data breach claims tells us that organizations are not meeting identity theft elements as much as originally thought. Cyber insurance pays 30% of the regulatory fines, showing that not everybody buys the regulatory fines and penalty coverage necessary for regulatory compliance. Agents beware! We predict this sleeping giant is going to cause problems.
Forensic experts tell us that 29% of recovery technology costs are paid for by cyber insurance. The problem is that they find the problem but do not fix it, causing us to miss needed rectification costs. The most prominent unknown elements are ransomware and its corresponding extortion costs. Only 10% have been paid by the insurance carriers, as there are specific rules about how to handle ransomware and how insurance companies should get involved. Those paying ransomware could find themselves in trouble with the treasury department regulations and advisories in paying foreign parties.
Coverage Pitfalls
Prior and pending litigation exclusions and other causative events reduce insurance coverages. We have up to 280 days (about nine months) to discover an actual intrusion, but what does that do to the retrospective claims-made date on the insurance contract? What is an occurrence, and how is it triggered? Do the cyber coverage forms respond by paying on behalf of the insured or by providing reimbursement? Is the negligent act of an employee sharing a password, knowingly or not, covered?
Other Pitfalls
- Failure to renew coverage
- Failure to place on best terms and conditions available
- Misrepresentation and placing with an insolvent carrier
- Cyber professional liability or errors and omissions coverage
|
Tip: The Devil is in the Details. Spend time understanding key triggers and insuring agreements. For example, ensure you understand how pervasive or limiting that definition of wrongful act is. If we need a clarifying endorsement, the biggest and most recent one is the minimum required security practices exclusion. When a representation is made on the application that these minimum required security practices are being done, that warranty can be a way to rescind or avoid coverage. This kind of exclusion is a pitfall for agents. The best security practice is to make sure that you meet those minimum security requirements. |
Case Study: Social Engineering and Cyber Terrorism at Mississippi Silicon Holdings, LLC
This case study highlights an example of an E&O claim soon to be filed against the agent for failure to obtain adequate coverage.
Cyber-terrorism is an expanding risk, and new definitions create challenges, including selling any cyber-crime coverage. If agents are not selling cyber-crime insurance or relying on the crime form, clients are not covered for cyber terrorism.
In October 2017, the Chief Financial Officer of Mississippi Silicon Holdings, LLC received an email from someone pretending to be a regular vendor saying that future payments should be routed to a new bank account. The email included a letter relaying the same instructions written on the vendor’s letterhead and signed by the vendor executive, which was attached to the email, and the email’s body also had the previous emails between the chief financial officer and the vendor’s personnel concerning invoices and shipping details.
The official authorized two wire transfers to the vendor’s new bank account totaling $1.025 million.
The crime insurance company was not obligated to reimburse the silicon manufacturer for the wire transfer theft of more than $1 million under its computer transfer fraud provision because company officials had approved the transfer according to a ruling by the Fifth U.S. Circuit Court of Appeals in New Orleans.
The ruling concluded that payments were made following the company’s three-step verification process for large transfers.
- The Chief Financial Officer initiated the transfer.
- Another company employee confirmed it on the bank’s website.
- The company’s Chief Operating Officer orally authorized the transfer by phone with a bank representative.
Two months later, the company realized it was a cyber fraud victim when the actual vendor called to discuss outstanding payments the manufacturer thought they had already made. The manufacturer filed a claim for $1,025,831 under their commercial crime policy that had a $100,000 limit of insurance for its social engineering fraud provision. However, the insurance company refused to pay for the claim under its crime computer transfer fraud policy provision, which had a million-dollar limit. The suit against the insurance company was filed in the U.S. District Court in Amery, Mississippi. The U.S. District Court ruled in the insurance company’s favor.
The Takeaway
This dispute boils down to a disagreement over the interpretation of the policy’s computer transfer fraud provision. The policy states that coverage under the computer transfer fraud provision is available only when a computer-based fraud scheme causes a transfer of funds without the insured’s knowledge or consent. We can anticipate that the agent or broker will be brought in on this now that they cannot find those $900,000.
Questions for the Agent
- Do agents and brokers understand the coverage they sell?
- Do they understand social engineering, cyber-crime, the crime form, and impersonator coverage?
- Do they understand the impact of sub-limits that come out of this and similar cases?
- How are they presenting coverage and disclosing the impact or requirements for validation in a social engineering claim scenario like this?
Standard of Care is Owed
“Standard of care” is a simple concept of providing reasonable care, diligence, and judgment in ordering and procuring the request for coverage from the client. This also applies to cyber insurance, so agents must know what clients are asking for. Good agents and brokers work within a heightened standard of care since they provide advice in many instances. Agents/brokers have created the affirmative obligation to provide advice because a client does not understand all cyber insurance facets and substantially relies upon the agent/broker. Agents/brokers need to understand their client’s needs and sell coverages that satisfy them. Agents/brokers must understand the potential loss exposures that put them into the heightened standard of care to provide advice. In many ways, agents/brokers become more of a risk advisor or insurance consultant.
Are the clients asking for social engineering coverage for unauthorized acts? For privacy invasion? Do they want business income? Are they asking for PCI compliance coverage? Agents/brokers need to be aware of these and other questions and give prompt notice if they cannot supply or obtain certain requested coverages. Clients can sue if agents fail to place coverage after agreeing to procure it. This would be considered a failure to provide proper advice and a heightened standard of care.
Clients rely on us. We must understand that agents/brokers must constantly learn and grow their skill sets, including cyber and technology. Agents/brokers must know the types of coverage available, what carriers are involved, and how to canvas the marketplace.
Claims Shift Toward Coverage Issues
The rule of thumb used to be that 50% of the claims were procedural and 50% were knowledge-based. We are now seeing them become more knowledge-based. About 66% of all agent/broker claims come from improper coverage, showing a lack of knowledge issues. Within faulty or improper coverage are three major sub-problems: failure to obtain the proper coverage, failure to obtain coverage, and failure to renew coverage. The risk is inherent at the beginning, the middle, the end, and when renewing. Agents/brokers need to strengthen their ability to analyze the risk properly and know that obtaining cyber coverage is a necessity.
Risk Management and E&O Exposure: Selling Cyber Coverage
Good agents/brokers will fill out an application, get hard numbers and limits, and help clients understand their cyber coverage. Knowledge errors in cyber, technology, and procurement are enormous and continue to grow. Not understanding the trigger of a wrongful act, which insuring agreements apply, and not understanding the sub-limits can mean disaster.
Licensed insurance agents/brokers need to have some knowledge of risk control advice and understand the elements suggested. It is best to have general discussions with your clients and let the professionals, forensic experts or auditors, provide guidance when it comes to specifics. Agents/brokers can strengthen their skills as risk advisors with the heightened professional standard of care by keeping their credibility and staying current in education about cyber as it relates to the insurance company.
- Invest in SOAR (Security Orchestration, Automation, Response) to define, prioritize, and standardize responses to cyber events.
- Know your terminology and elements: What is a “zero-trust” security model? If you see or hear such terms and they do not make sense to you, Google it!
- Conduct a stress test with an outside vendor.
- Ask the vendor to help determine endpoints and remote employee access.
- Always tell your client to invest in governance, risk management, and compliance programs.
- Use managed security to help find gaps in an organization, training, and other items.
- Know your markets: Over 65 active insurance markets write some form of cyber insurance.
Cyber Insurance Is No Longer a “Nice to Have.”
The industry is now experiencing contracts between business enterprises and upstream clients that say they will not allow agents/brokers to work with them unless they have cyber insurance or cyber security programs in place. The Commercial General Liability Coverage Form and other commercial property policies do not respond to cyber exposures, nor do they provide adequate coverage against them. Agents/brokers must make the lack of coverage absolutely clear to the client.
Trends in special relationship, ethics, and the E&O process:
Thankfully, agents/brokers are doing their jobs.
Ethical agents/brokers directly correlate to the impact on E&O limits. A higher standard of care means higher limits. The industry is witnessing a growing trend among small to medium-sized insurance brokers looking at and significantly increasing their E&O limits to $4–$25 million.
Products are Becoming Commodity-Driven
Personal auto coverage is commodity-driven. In addition, Homeowners coverage is commodity-driven except for the high wealth. Clients want to know if you are a captive agency system or an independent agency system. Do you provide risk management value and added services changes?
Become a member of a trade association.
Agents/brokers with professional designations are more responsible for maintaining a high level of ethical performance and legal standards. For over 50 years, designations from The National Alliance have been recognized throughout the insurance industry as symbols of trust and credibility. Designees commit to continuing education to maintain the knowledge and skills needed to respond to evolving coverage needs.
Conclusion
When working with clients on cyber insurance, technology, and E&O insurance areas, go back to the basics. Use the skills you have developed as a competent producer, agent, or broker in a similar situation. Take a good look at what you are doing for the client, knowing that liability is created by the failure to procure the requested insurance or by obtaining insurance that was materially deficient in some way. Continue learning. That is our ethical and most basic duty to our clients.
