You won’t want to miss this three-part episode of Charlie’s Corner. He and his guest, RT Specialty’s EVP, Jackie LaRock, discuss the impact of Covid-19. Touching on Cyber Liability, Public & Private D&O, and Employment Liability coverages. Join us this week to start with the topic of Cyber Liability. One main take away from today’s episode, lookout for the aggregation of potential risks. For another podcast episode on Cyber Liability listen here.
Edwin K. Morris (6s):
Welcome to the trusted advisor podcast brought to you by Iroquois group. Iroquois is your trusted advisor in all things insurance. This week, you are listening to Charlie’s corner, a segment hosted by our very own Charlie Venus.
Charlie Venus (21s):
So welcome to our podcast today. Our guest is Jackie LaRock. She’s an executive vice president in RT specialties pro exec practice group. Her sole focus is placement of management and professional liability lines for all business sectors on a national and international basis. Before becoming an insurance broker, Jackie was employed by executive risk job in the Hartford and various legal and executive underwriting roles. And prior to joining the insurance industry, she practiced law in Connecticut. And I should also point out that when I retired from the Hartford and went into the agency side of the business, Jackie was my mentor when it came to management and professional liability.
Charlie Venus (1m 3s):
So welcome Jackie.
Jackie LaRock (1m 4s):
Thank you, Charlie. Appreciate it.
Charlie Venus (1m 6s):
So, Jackie, what I was looking for to talk about with you today is really a couple of the management and professional liability lines specifically, what’s going on in cyber liability, private D&O, and to touch on employment practices a little bit, let’s start with cyber liability. So what’s going on in the marketplace there in terms of pricing, rate, coverage terms and conditions, and even from a claims standpoint?
Jackie LaRock (1m 37s):
In the cyber world, there has been a lot of capacity. There are a number of carriers, probably an excess of a hundred that currently write cyber liability insurance. So there are many options. The forms obviously differ significantly sometimes from carrier to carrier. As respect to the marketplace now, I’d say we were experiencing one of the more significant changes in the marketplace due to recent exposures and upticks due to the pandemic. So with the pandemic, employees are increasingly at home, they are experiencing additional stresses and distractions. There’s decentralized corporate functions.
Jackie LaRock (2m 17s):
And there’s a lot more communication, obviously by email, as people are forced to do instant messaging or emails versus walking over to speak with a colleague. Cybercriminals excel in finding social, individual, and corporate real vulnerabilities. And they certainly have done so as well in the current pandemic. In the past, you would have seen social engineering exposures in the news where criminals were fraudulently inducing companies to wire transfer sums of money. However, in 2020, the major exposure in the cyber liability insurance world has been ransomware. And there’s no question about that. In the past, there were claims that would demand an amount of a couple hundred dollars, perhaps a couple thousand.
Jackie LaRock (3m 2s):
However, in 2020, the black hat have been very, very aggressive in terms of their demands. The demands now are often into seven or eight figures, which is obviously a big change from where they were in the past. In addition to the demands getting higher, there’s just a proliferation of ransomware attacks against a wide range of organizations. This includes governmental entities, healthcare entities, manufacturing companies, this fuller federation of attacks has caused the marketplace some strain, particularly on those underwriters that write the mid and larger size accounts.
Charlie Venus (3m 38s):
You know, when you look at cyber in its infancy, it was more about paying for, you know, the data breach coverage. Somebody lost their data. There was a third party exposure, third party liability exposure. There was a first party exposure to pay for the, the notification expense. Are you seeing a shift from that? What we originally thought as the typical cyber liability coverage to more the social engineering claims or ransomware attacks, is that where it’s moved to?
Jackie LaRock (4m 13s):
Absolutely unquestionably. There’s been an uptick in that, that the, what I would call e-crime, social engineering, again, ransomware attacks, the dollars are bigger in terms of what the carriers are paying out. And the criminals have found that they can do less work and reap bigger rewards by having larger ransomware demands. So when a claim is made now, or an incident is noticed regarding ransomware, you still do have the forensics, that forensics cost that needs to be incurred to evaluate what happened. But then there’s additional costs of a ransomware negotiator payment at the end, the actual ransomware demand, if needed by the insured. You’ll also have involvement of counsel looking at whether the potential ransomware perpetrator is on the OFAC list.
Jackie LaRock (5m 1s):
Given the recent pronouncements by the department of justice, indicating that if payments were made to entities or individuals on the OFAC list, that there could be issues with respect to the federal government issuing fines against insureds. So all of these things have kind of caused the perfect storm in the cyber world. And again, this is particularly in the last three to four months. Other other changes that are impacting the cyber market are aggregation of risk. So this summer there was a cloud computing company that had a data breach and that data breach impacted a significant number of their customers. Most of whom had their own cyber policies, so that you ended up with a domino effect of a number of companies or entities, non-profits in this case, that were impacted by data breach at the cloud computing company level.
Jackie LaRock (5m 50s):
So again, that resulted in an uptick in the overall claims because you have so many parties that are impacted.
Charlie Venus (5m 57s):
Jackie with that I mean, particularly with that cloud computing issue that you described, I mean, a couple of things there. Number one, would you say that this really puts the emphasis on having business interruption coverage on your cyber policy when these ransomware attacks happen? And secondly, looking at these contracts that you sign with these cloud computing companies, because I could see where a lot of people are, think they’re transferring their cyber risk exposure to the cloud computing company, but when you have that big of a loss, it’s still going to come back on that individual entity.
Jackie LaRock (6m 34s):
Yep. Very well-taken points. Charlie business interruption is more important than it has been in the past because the reality is that when ransomware strikes a company often has to shut down their systems or keep them open, but not use them for a period of time. And that time could be a week or two weeks. So there’s no question that business interruption loss has been more important in recent time to due to insureds, due to the ransomware exposure. As respect to the reliance on the cloud computing company, I have always told insureds they should have their own cyber policy, even if they are relying on a cloud provider, the data belongs to the entity that is placing the data in the cloud.
Jackie LaRock (7m 19s):
So though the cloud provider’s providing a place to store it, to access it, the data still belongs to the entity that put it there. And the obligations to notice people impacted specifically consumers impacted by a data breach rests with the client, if you will. So it’s important for entities to understand that, that you can’t really pass off your cyber liability. Obviously there’s a chance and opportunity to subrogate as to the cloud computing company, but then you also have the issue, as you said, of limits, what is the appropriate number, what is the appropriate limit. Do you end up with an aggregation of risk that may not be addressed by the program maintained by the cloud computing company.
Charlie Venus (7m 60s):
What do you suggest for companies from an action standpoint that they feel like they’ve transferred this risk and not only the risk, but also the data storage to a cloud computing company where it’s much more or supposedly much more secure? Is it that they have a second backup somewhere else? In addition to the storage with a cloud computing company?
Jackie LaRock (8m 24s):
I think a backup is probably a good idea, but I would actually defer on that question to the IT professionals that support these various entities, because I think they’re probably in a better position to respond to that.
Charlie Venus (8m 39s):
What are the carriers doing? You know, I know the they’ve gotten much more extensive when they’re looking at the cyber liability controls on big companies. What are they looking for typically in terms of data storage or do they prefer the private server or do they prefer the cloud computing or cloud storage or no preference – they can, they can go either way?
Jackie LaRock (9m 3s):
I have not seen in the placements I’ve done a marked preference for one or the other by insurers. So initially when there was a big increase in companies putting their data in clouds, I had some concerns about what underwriters were going to expect, and it hasn’t been an issue thus far, but again, I do think you end up with this aggregation of loss. When you do have a breach that occurs at a cloud provider, as we’ve seen in the recent past,
Charlie Venus (9m 33s):
So with all this uptick in, in claims and breaches and ransomware attacks, what is that doing to the marketplace in terms of rate increases and changes in terms and conditions
Jackie LaRock (9m 46s):
With respect to smaller accounts, it hasn’t had a significant impact yet with respect to medium and larger sized accounts or those accounts that have a lot of data, or those entities that for example, are in the public space, municipalities, state agencies, et cetera, there’s been a marked change in underwriter appetite and terms. And I’d say in the last, probably the last month to two months, we’ve experienced what I refer to as the ground, the ground moving beneath our feet as brokers, because we will be in the midst of working on a placement and in the midst of working on that placement or that renewal, we’re getting feedback from underwriters saying, ah, our terms are changing or hold on.
Jackie LaRock (10m 28s):
We might not be able to entertain this risk anymore, or by the way, our retention is going to be doubling from what we initially had indicated to you a week or so ago. That’s the challenge for again, mid-sized to larger accounts with has, would have some complexity because underwriters may be at the point of either modifying their appetite, radically changing terms, looking at increases in premium, increases in retention. Those are the changes that we’re seeing again, mostly over the last month or so.
Charlie Venus (10m 58s):
And what do you say to those, to those small clients that currently have some basic cyber coverage in their bop policy? You know, that’s notification expense, third party liability expense. I would think they really need to go out and buy a full fledged cyber policy to get the protection, to get that business interruption protection and the ransomware protection. You know, that you’re talking about from a loss standpoint, that’s being so impactful.
Jackie LaRock (11m 29s):
No question about that. Some of the add ons to bops or even add ons to errors and emissions policies just provide coverage for liability. And unfortunately, some insurers look at their policy, they see an endorsement, it says cyber liability at the top, and they don’t read any further or they don’t feel comfortable reading further to understand the details. So there’s no question that entities of all sizes and all industry segments should be looking at liability insurance. That includes first party coverage. And many of the costs out of pocket class that are paid when an incident occurs. Liability coverage for those potential lawsuits or investigations brought by regulators and certainly business interruption and coverage for social engineering and ransomware are absolutely critical.
Jackie LaRock (12m 14s):
The whole point of cyber liability insurance, as I explained to insureds that I speak with is to have a group or people of experts that are there to help you. Because very often you become aware of a ransomware attack or a data breach on on Friday at five o’clock or Thursday at 1:00 AM. They never occur at the most rational, reasonable time. It’s typically an inconvenient time when there’s word that computers have been locked down to a ransomware attack. And as one insured told me recently, if I had to go and start calling and deciding what law firm to hire and what forensics for them to hire, et cetera, at that time of crisis, it would have been much more difficult than making a phone call to an insurer of cyber liability and having a team of people available to help them through that process
Charlie Venus (13m 0s):
One more question on the cyber piece, Jackie, on a lot of the cyber policies today, you can include social engineering. You can include wire transfer fraud and computer fraud. In your opinion, is the coverage on the cyber policies for those three elements equal to what you would buy in a crime policy, or is the crime policy still the preferred method to, to cover those exposures?
Jackie LaRock (13m 27s):
There is a difference between the coverage that’s provided under client policies and coverage provided under cyber liability policies as respect social engineering claims. So for example, there may be a requirement under a crime policy that requires a secondary means of authentication, or there may be, there may maybe a requirement for secondary authentication under a cyber liability policy as well. So due to the fact that there may be slight differences in how coverage is triggered or even excluded under one or the other policy, meaning crime or cyber, we do recommend both. The other factor to be taken into account is the fact that most cyber insurance policies are not able to offer more than $250,000 worth of limits for social engineering coverage.
Jackie LaRock (14m 18s):
So it’s necessary to stack multiple layers to get to desired limits. Those carriers that are able to offer full limits, in other words, for example, a million dollars for social engineering coverage, are typically having a restriction on it, which says that if there wasn’t an out-of-bandwith authentication attempt, then there’s no coverage. So if someone forgot to make a phone call to verify that the email was not fraudulent, then there’s no coverage. And that kind of removes the whole purpose of the coverage in the first place.
Charlie Venus (14m 49s):
Thank you, Jackie. Join us next time for our conversation on D&O.
Edwin K. Morris (14m 54s):
Thanks for listening to this edition of Charlie’s corner brought to you by Iroquois group. I am Edwin Kay Morris, and I invite you to join us for the next edition of the trusted advisor podcast.