E&O Exposures and Risk Management: The impact on agents.
Ransomware is driving 2020’s loss ratios and it’s causing cyber insurance prices to go up. Analysts and brokers, including Moody’s Analytics, reported that the insurance industry loss ratio for 2020 is at an excess of 50% or higher. A significant shift for the cyber insurance marketplace where competitive prices between 2015 and 2018 get price increases down despite an increase in cyber loss ratios. We now know that the direct premiums written for the cyber line have increased since 2015 and have become a must have for most organizations in lieu of a nice to have coverage.
Premium volume has gone up from 488 million to over 1.3 billion in 2019. Estimates show that 2020 will close out about $1.6 billion worth of premium volume. That is quite significant when you consider that the demand for cyber coverage will continue to increase given the changing nature of the loss exposures risk and the persuasiveness of the technology that is being developed. The industry is seeing a surge of new tech as well as the potential of its loss exposure risk which impact supply chains.
In turn, more carriers are examining their relationships to insureds. Do they cover their upstream partner as well? Do they have one of their co-partners or entities? In other words, they are starting to look at the aggregation of risk and the impact it will have on pricing and loss exposures.
2020 Cost of Data Breach Impact
Coverage and price decisions are becoming a bigger challenge. Be prepared to handle it by understanding how to avoid getting into an agent/broker E&O exposure. Buyers without robust insurance continue to find themselves on the short end and not having the coverage they expected. They are finding themselves in situations where they may have made misrepresentations about the cyber security systems, they thought they had in place.
Compounding the challenge are insurance companies that avoid coverage and not pay it based upon insured misrepresentations and coverage exclusions. Currently, 51% of consulting and legal services for data breach claims are paid by cyber insurance carriers. The low rate of victim restitution claims paid by cyber insurance carriers in data breach claims tells us that organizations are not meeting identity theft elements as much as originally thought. Cyber insurance pays 30% of the regulatory fines showing that not everybody is buying regulatory fines and penalty coverage necessary for regulatory compliance. Agents beware! We predict this sleeping giant is going to cause problems.
Forensic experts tell us that 29% of recovery technology costs are paid for by cyber insurance. The problem is they find the problem but do not fix it, causing us to miss needed rectification costs. The biggest unknown elements are ransomware and their corresponding extortion costs. Only 10% have been paid by the insurance carriers as there are specific rules about how to handle ransomware and how insurance companies should get involved. Those paying ransomware could find themselves in trouble with the treasury department regulations and advisories in paying foreign parties.
Coverage Pitfalls
Prior and pending litigation exclusions and other items that are causative events reduce insurance coverages. We have up to 280 days (about 9 months) to discover an actual intrusion, but what does that do to the retrospective claim made date on the insurance contract? What is an occurrence and how is it triggered? Do the cyber coverage forms respond by paying on behalf of the insured or by providing reimbursement? Is the negligent act of an employee sharing a password, knowingly or not, covered?
Other Pitfalls
- Failure to renew coverage.
- Failure to place on best terms and conditions available.
- Misrepresentation and placing with an insolvent carrier.
- Cyber professional liability or errors and emissions coverage.
| Tip: The Devil is in the Details Spend time understanding key triggers and insuring agreements. For example, ensure you understand how pervasive or how limiting that wrongful act definition is. If we need a clarifying endorsement the biggest and most recent one is the minimum required security practices exclusion. When a representation is made on the application that these minimum required security practices are being done, that warranty can be a way to rescind or avoid coverage. This kind of exclusion is a pitfall for agents. The best security practice is to make sure you meet that minimum security requirements. |
Case Study: Social Engineering and Cyber Terrorism at Mississippi Silicon holdings, LLC
This case study highlights an example of an E&O claim soon to be filed against the agent for failure to obtain adequate coverage.
Cyber terrorism is an expanding risk and new definitions create challenges including the sale of any cyber-crime coverage. If agents are not selling cyber-crime insurance or relying on the crime form, clients are not covered from cyber terrorism.
In October 2017, the Chief Financial Officer of Mississippi Silicon holdings, LLC received an email from someone pretending to be a regular vendor saying that future payments should be routed to a new bank account. The email included a letter relaying the same instructions written on the vendor’s letterhead and signed by the vendor executive, which was attached to the email and the email’s body also had the previous emails between the chief financial officer and the vendors personnel concerning invoices and shipping detail.
The official authorized two wire transfers to the vendor’s new bank account totaling $1.025 million.
The crime insurance company was not obligated to reimburse the silicon manufacturer for the wire transfer theft of more than $1 million under its computer transfer fraud provision because company officials had approved the transfer according to a ruling by the fifth US Circuit Court of Appeals in New Orleans.
The ruling concluded that payments were made following the company’s three step verification process for large transfers.
- The Chief Financial Officer initiated the transfer.
- Another company employee confirmed it on the bank’s website.
- The company’s Chief Operating Officer orally authorized the transfer on a phone call with a bank representative.
The company realized it was a cyber fraud victim two months later when the real vendor called to discuss outstanding payments the manufacturer thought they had already made. They filed a claim for $1,025,831 under the commercial crime policy that had a $100,000 dollar limit of insurance for its social engineering fraud provision. However, the insurance company refused to pay for the claim under its crime computer transfer fraud policy provision, which had a million-dollar limit. The suit against the insurance company was filed in the U.S. District Court in Amery, Mississippi. The U.S. District Court ruled in the insurance company’s favor.
Takeaway:
This dispute boils down to a disagreement over the interpretation of the policy’s computer transfer fraud provision. The policy states that coverage under the computer transfer fraud provision is available only when a computer-based fraud scheme causes a transfer of funds without the insured’s knowledge or consent. We can anticipate that the agent or broker will be brought in on this now that they cannot find those $900,000.
Questions for the Agent
- Do agents and brokers understand the coverage they sell?
- Do they understand social engineering, cyber-crime, the crime form, and impersonator coverage?
- Do they understand the impact of sub limits that comes out of this and similar cases?
- How are they presenting coverage and disclosing the impact or requirements for validation in a social engineering claim scenario like this?
Standard of Care is Owed
Standard of care is a simple concept of providing reasonable care, diligence and judgment in ordering and procuring the request of coverage from the client. This also applies to cyber insurance so agents must know what clients are asking for. Good agents and brokers work within a heightened standard of care since they are providing advice in many instances. Agents/brokers have created the affirmative obligation to provide advice, because a client does not understand all the facets of cyber insurance and substantially rely upon the agent/broker. Agents/brokers need to understand their client’s needs and sell the coverages that satisfy their client’s needs. Agent/brokers must understand the potential loss exposures that put them into the heightened standard of care to provide advice. In many ways, agents/brokers become more of a risk advisor or insurance consultant.
Are the clients asking for social engineering for unauthorized act? For privacy invasion? Do they want business income? Are they asking for PCI compliance coverage? Agents/brokers need to be aware of these and other questions and give prompt notice if they cannot supply or obtain certain requested coverages. Clients can sue if agents fail to place coverage after agreeing to procure it. That is considered failure to provide proper advice, which is a heightened standard of care.
Clients rely on us. We must understand the duty agents/brokers have to be learning constantly, growing their skillset to include cyber and technology items. Agents/brokers must know the types of coverages available, what carriers are involved, and to canvas the marketplace.
Claims shift Toward Coverage Issues
The rule of thumb used to be that 50% of the claims were procedural and 50% were knowledge based. We are now seeing them become more knowledge based. About 66% of all agent/broker claims are coming from improper coverage, showing lack of knowledge issues. Within faulty or improper coverage are three major sub-problems: failure to obtain the proper coverage, failure to obtain coverage, failure to renew coverage. The risk is inherent at the beginning, the middle, the end and when renewing. Agents/brokers need to strengthen their ability to analyze the risk properly and know to obtain cyber coverage as a necessity.
Risk Management and E&O Exposure: Selling Cyber Coverage
Good agents/brokers will fill out an application, get hard numbers, hard limits, and help the client understand their cyber coverage. Knowledge errors in cyber, technology, and procurement are huge and continue to grow. Not understanding the trigger of wrongful act, which insuring agreements apply, and not understanding the sub limits can mean disaster.
Licensed insurance agents/brokers need to have some knowledge of risk control advice and understand the elements suggested. It is best to have general discussions with your clients and let the professionals, like a forensic expert our auditor, when it comes to specifics. Agents/brokers can strengthen their skills as risk advisors with the heightened professional standard of care by keeping their credibility and staying current in education about cyber as it relates to the insurance company.
- Invest in SOAR (Security Orchestration, Automation, Response) to define, prioritize, and standardize responses to cyber events.
- Know your terminology and elements: What is a zero-trust security model? If you see or hear these terms and they do not make sense to you, Google it!
- Conduct a stress test with an outside vendor.
- Ask the vendor to help determine end points and remote employee access.
- Always tell your client to invest in governance, risk management, and compliance programs.
- Use managed security to help find gaps in an organization, training, and other items.
- Know your markets: Over 65 active insurance markets write some form of cyber insurance.
Cyber insurance is no longer a “nice to have.”
The industry is now experiencing contracts between business enterprises and upstream clients that say they will not allow agents/brokers to work with them unless they have cyber insurance or cyber/securities programs in place. The Commercial General Liability Coverage Form and other commercial property policies do not respond to cyber exposures, nor do they provide adequate coverage against then. Agents/brokers must make the lack of coverage absolutely clear to the client.
Trends in special relationship, ethics, and the E&O process
Thankfully, agents/brokers are doing their jobs.
Ethical agents/brokers have a direct correlation to the impact on E&O limits. Higher standard of care means higher limits. The industry is witnessing a growing trend among small to medium-sized insurance brokers looking at and significantly increasing their E&O limits to a range of $4-25 million.
Products are becoming commodity driven.
Personal auto is commodity driven. In addition, Homeowner’s is commodity driven except for the high wealth. Clients want to know if you are a captive agency system or an independent agency system. Do you provide risk management value and added services changes?
Become a member of a trade association.
Agents/brokers with professional designations have an increased responsibility to maintain a high level of ethical performance and legal standards. For over 50 years, designations from The National Alliance have been recognized throughout the insurance industry as symbols of trust and credibility. Designees commit to continuing education to maintain the knowledge and skills needed to respond to evolving coverage needs.
Conclusion
When you are working with clients on cyber insurance, technology, and E&O insurance areas, go back to the very basics. Use the skills you have developed as a competent producer, agent, or broker in a similar situation. Take a good look at what you are doing for the client knowing liability is created by the failure to procure the requested insurance or obtaining insurance that was materially deficient in some way. Continue learning. That is our ethical and most basic duty to our client.
