In our fast paced, digitized, cyber world, businesses have reduced or eliminated their paper files. In turn, business transactions and customer information is now stored electronically. Sometimes, when appropriate safeguards are not in place to insure that this business information remains private, a data breach occurs.
The modern criminal continues to develop ways of obtaining and monetizing stolen information. According to the Ponemon Institute's 2017 survey of 419 companies in 11 countries (US included), the average cost of a data breach was $3.62M. Additionally, one out of four of the companies surveyed expect to experience another data breach in the next 24 months. Unquestionably, Cyber Liability has become a major area of exposure and risk for businesses both large and small.
The insurance industry has sought to address this concern through the development of cyber liability coverage, which is designed to address the cyber exposures businesses face. With this new niche in the industry, the insurance marketing professional needs to be aware of the ever-expanding cyber liability exposure to its customers. Without such understanding, both the marketing of, and the failure to market, cyber liability policies creates additional potential E&O exposures for the insurance professional.
First, as with any policy, it is important to have a general knowledge of what the cyber policy does and does not cover. Unlike many lines of insurance coverage, most cyber policies are manuscript rather than ISO form. As such, the terms and conditions of each policy vary from carrier to carrier.
Second, most cyber liability policies cover first and third party liability due to network security breaches that pose an exposure to the insured. This exposure includes such aspects as data breach, data destruction, virus contamination, extortion, as well as liability due to privacy breaches.
Third, the policies often do not cover reputational harm, loss of future revenue, or named perils.
Finally, the amount of coverage available is normally several million dollars, so the potential errors and omissions exposure for mishandling such a policy can be substantial. Consequently, the insurance professional should carefully read each cyber policy he markets.
Insurance professionals can implement some simple steps to lower the risk of professional malpractice claims – several of which are standard in the industry:
- Know the product. Recognize that each cyber liability carrier's policy could contain different language with respect to what is covered and what is not covered.
- Know your client. Know the details of what your client's business practices involve, sufficiently that you know whether they might be a good candidate for such a policy.
- Document, document, document. Make sure all offers are in writing and send a copy of the offer to the client. Document all rejections of the coverage in writing and send a copy to the insured. Document all important transactions and conversations with the insured.
- Confirm coverage is correct. Once a cyber liability policy is issued by the carrier, the insurance professional should read it carefully to make sure it contains the coverage the client requested.
- Avoid coverage opinions. Refrain from making representations to the client as to what the cyber policy covers or does not cover. Instead direct all such questions to the carrier. This practice helps shield the agent from claims he made promises that the carrier is not inclined to keep. A number of courts across the country have held agents to a higher standard of care if they were representing to the insured that they were an expert in the field. Likewise, remember that in some instances an insurance professional has a higher duty of care if they take money for providing insurance advice.
- The ultimate decision rests with your client. Making a final decision about what cyber coverages are appropriate requires technical knowledge and a level of familiarity with the client's business that most agents don't have – at least not in combination. In general, it is a better practice for the agent to advise a customer that you cannot evaluate their needs with respect to cyber liability coverage. Instead, help your customer recognize the risk, let them know the coverage is available if they wish to purchase it, and assist them in getting answers from the carrier that will help them make the right decision for their business.
The advent of cyber liability exposure and the development of cyber liability insurance presents a rising area of E&O exposure for insurance professionals. This exposure can be reduced through familiarity with the product, familiarity with the client's business, and documentation of all offers/rejections. Cyber Liability Insurance continues to be an area of growing importance in the insurance industry. Following these steps will reduce the E&O exposure to the insurance professional, while better serving their customers' needs.
Brian Butcher is a vice president, claims expert with Swiss Re Corporate Solutions and teleworks out of the office in Overland Park, Kansas. Insurance products underwritten by Westport Insurance Corporation, Overland Park, Kansas, a member of Swiss Re Corporate Solutions.