Last week’s PLUS webinar, The Impact of Cyber Risk on Professional Liability, had a number of questions from the audience that our panel didn’t have time to address. Below, moderator Graeme Newman of CFC Underwriting responds to most of those queries.
For much more on the emerging Cyber Liability market, including more from Graeme Newman who is on a panel at the event, don’t miss the 2014 PLUS Cyber Liability Symposium, April 24 and 25 in Atlanta. Register today!
Q: What have you seen as the biggest strengths of standalone policies vs. the broader endorsements on CGL policies, ASIDE from just the higher limits and inclusion of both 1st and 3rd party coverage? Are there any other major strength’s we should be focusing on?
A: The key aspect is often the claims service that supports the standalone policies. Handling a data breach requires a very quick and very specific response, this means that it is essential to ensure the right insurer and claims team are appointed. Many of the CGL markets have little to no experience in this area and are the wrong people to be handling such a claim. It would be like have your property claims team handling a professional liability claim, you simply wouldn’t consider it.
Q: Do the majority of professional liability policies (specifically Lawyers and Accountants E&O) provide both 3rd AND 1st party coverage for privacy breaches related to corporate confidential information?
A: This varies across carriers. Most breaches of corporate confidential data do not require a mass notification, but will result in a lawsuit for breach of contract. Often the forensic costs required to find the scale and source of the breach can be provided under a loss mitigation clause.
Q; How would a tech company SaSS model with data storage services & facilities need to structure coverage for the “data recovery” aspect from a covered event? It seems there is a dual coverage aspect of both 1st party/3rd party on the casualty and the property (being data, software, hardware). Any key property coverage talking points, outside of standard ISO property forms?
A: As discussed on the webinar, there is often a big overlap between a tech E&O policy and a cyber policy when it comes to application service providers. In the event of a loss of data they would probably only have a very small sub-limit under their property policy. Data recovery services could potentially be sourced under a loss mitigation provision within a professional liability form, but would be covered with more certainty under a specific first party cyber policy.
Q: Are there any particular risk management measures available to insureds, such as security software or protocols or corporate requirements that employees encrypt portable memory devices such as USB keys and laptops, that would have a significant impact on the cost of cyber liability coverage for the insured?
A: Good risk management (and particularly the use of encryption) will certainly give the insured access to more carriers and as a result this will lower their premium. Often carriers will make a binary decision when it comes to encryption either providing terms or not, rather than providing a reduced premium due to certain risk control measures being put in place.
Q: What are you seeing as an estimated cost per record for a cyber loss?
A: This varies wildly from breach to breach. There is also no direct linear correlation between number of records breached and cost of the claim. The actual notification component has come down considerably over the last few years from being somewhere between $20 – $30 to sub $5 per record, however, at the same time the cost of forensics, regulatory actions, and public relations management has spiralled.
Q: Was Max (panelist Max Perkins of Beazley Group) suggesting that without insurance breach response companies will take advantage of breached companies?
A: I think Max was simply highlighting the obvious that it is much more cost effective to negotiate a breach response deal with a company before an event than when you are right in the middle of a breach situation.
Q: To clarify- the question about corporate confidential info. We are seeing Cyber endorsements being added to the PL forms. Wondering what the extent of coverage is on these endorsements – specifically wondering if 1st party corporate confidential info is offered.
A: This varies from carrier to carrier
Q: If the Other Insurance Clause makes the PI primary, is there concern over coverage gaps?
A: If the PI is primary then this will only apply where there is coverage under that form, so the cyber would respond where there is a gap. Most clients want to reserve their PI limit for professional claims though, not data breaches.
Q: Besides Lawyer wouldn’t this also apply to other Professional classes (i.e. Ins. Agts?)
Q: What about, say, contractors professional liability– i.e., an electrical contractor severs cabling….electronic data is lost and an e- tailer can’t operate… can the panel comment on that?
A: This would come through as a liability claim for the contractor. Most cyber forms would not respond for the retailer as there was no security breach.
Q: What about exposure for hacking into email and sending fraudulent email redirecting funds targeted for escrow to account of a fraudster? Are law firms at risk?
A: This is a very big exposure for law firms. Some carriers have extensive cyber crime clauses to cover this, others give no cover at all.
Additional Comments from Graeme Newman:
- The NY Times had an article recently about cyber risks for law firms.
- Don’t forget that a large first party coverage limit can eat away at your overall cyber aggregate limit. Leaving a client with a reduced agg to pay the third party liability defense and damages.
PLUS members can view the entire webinar in our multimedia library.