The cyber insurance market is a state of flux, with new carriers entering the market and offering products so different, it can make a producer's head spin. To learn more about the process of placing risk in this environment,
Insurance Business America asked Christine Marciano of Cyber Data-Risk Managers in New York to tell us about a particularly challenging case and the methods she used to crack it.
With over 18 years of experience within the insurance and financial industry in various roles and lines, I’ve been focused exclusively on cyber/data breach insurance for nearly three years now, and as long as the power grid is still operating, my business continues to thrive due to the interconnected environment in which businesses and organizations operate today and its new and evolving complex risks.
As a broker, I work with many clients of all sizes, industries and sectors. As of late, I’ve been working with a lot more clients who, due to the technology services or solutions they provide, will most often require a comprehensive insurance policy that will cover their professional liability, security and data breach risks.
One recent new client of mine is a software provider of a Software as a Service (SaaS) solution, which provides clinical decision support to hospitals. The client came to me for assistance with their professional liability, general liability and security and data breach insurance needs. Due to the sensitive nature of my client’s service, this case was hard to place, as many insurance carriers were concerned about the physical harm that could potentially occur if an error occurred in their software solution.
While their service may be viewed as somewhat intangible in nature, if a technical error occurred while the software was being used in the hospital setting, there was the potential to cause bodily injury. Out of the many risks my client, I and my underwriters discussed, this was ultimately the biggest and potentially the most costly risk they could face if such an event occurred.
There are a growing number of carriers today that are packaging professional liability, general liability and security and data breach coverages into one policy form, which of course has its advantages and disadvantages. For my client, obtaining the right coverage to ensure they were properly protected for the aforementioned risk
was of top concern and, naturally, cost followed. We chose to write one policy form that combined all of the above mentioned coverages. By doing so, we helped keep costs down and at the same time enabled them to obtain the proper coverages and limits they needed.
Nonetheless this was not an easy task, due to the significant variations in policy ocverages, wordings, and exclusions amongst the handful of policies that we quoted and had under consideration. In such a scenario, it is nearly impossible to do an “apples to apples” comparison due to the broad differences in policy wordings, exclusions, endorsements and coverage variations. We had to approach the policy review and selection process from many different angles, which required a comprehensive review of policy definitions, conditions, coverages and sublimits, exclusions, extended reporting periods, and more.
From a broker standpoint, the interesting factoring piece in putting this puzzle together with my client was that since the “bodily injury” risk was the biggest risk at stake, the policies that we had under consideration varied greatly in where this coverage would be picked up, if it was to be covered at all.
After nixing a few policies from the table, we had two left. In comparing the two, the professional liability limits and security and data breach limits were the same across the board. However, I could not get one of the carriers to match the general liability limit up with the other limits.
We went back and forth, and the interesting factor that was learned during the initial review process was that the “bodily injury” risk was being picked up by the general liability form with this carrier who was not willing to match the other coverage limits. Needless to say, they were very concerned about this risk and were not willing to budge and increase to the needed limit.
If you’re a broker, I know what you’re thinking right now: Well, of course the “bodily injury” is picked up by the general liability policy as that’s what it is supposed to do. And, yes you’re right. However, in this particular carrier’s general liability insuring clause, they were covering claims as a result of any claim arising out of accidental bodily injury, personal injury or damage (stay with me here) occurring during the period of the policy in the course of your “business activities.”
Bingo! A “traditional” general liability policy “is the same as it ever was,” and as we know, it does not cover business activities, aka professional services which requires a separate professional liability insurance policy.
Now remember, the nature of my client’s risk is purely professional services with technology-related risks, which required a technology-based insurance framework from the start, leading me to say that, in the end, this policy was as far from the traditional insurance policy than most brokers today are familiar with. Lastly, this policy “excluded” bodily injury under its professional liability form.
Proving that these polices are not “apple to apple” comparison capable, the other policy left in the mix covered and picked up the “bodily injury” under the “exclusions” in their professional liability form. At first, they excluded the bodily injury, but then generously gave it back and stated that the bodily injury exclusion “shall not apply to claims based upon or arising out of any wrongful act or personal injury in the performance of professional services.” Yes, we have a winner! Needless to say, this policy won my client’s business as it covered them for their most significant risk and at the needed coverage limit, which matched the other policy coverage limits as well.
As you can see, had this been an entirely different client, the issue of “bodily injury” in a technology-based service or solution may not have even been a risk. However, due to the nature of my client’s business, which operates a technology-based platform that is using, analyzing and monitoring (PHI) patient health information in a hospital setting, the “bodily injury” needed to be covered, and finding the right policy may have been more of a challenge than others. However, we managed to get it done.
On a side note, it is no wonder why brokers are not yet comfortable discussing cyber/data breach insurance with their clients due to the non-traditional nature of these policies, complex coverages, significant policy variations, exclusions and endorsements. For the typical broker, it is enough to make your head spin to the nearest drinking establishment. This is why brokers who are not yet familiar with how to build such complex and comprehensive policies should partner with a broker such as myself who can help navigate the many, many policies that are available today and who can help find the right policy for their client’s needs.
The times are a-changin' and so has insurance.
Don't miss other highlights from this week's InFocus series...
"Harnessing the challenging, profitable cyber market"
"The 6 hottest cyber markets in 2014"
"4 misconceptions that could sink your cyber sales"