Today on PLUS blog we’re going back into time. As cyber coverage continues to grow and evolve in the professional liability arena we thought it would be interesting to look back at where it started. This post includes outtakes from some of the earliest PLUS Journal articles dealing with cyber coverage. The question is… how much has this still relatively new line of business changed in the twelve years since these first mentions?
From “What Have the Doctors, Drugstores, Realtors, Lawyers…. Forgotten About the Internet… BUT Plaintiff Attorneys Remembered?” by Peter R Taffae (October 2000).
The Internet revolution has started. Many professional firms that are conducting business on the Internet are not addressing their professional exposures. There are currently dozens and dozens of medical advice web sites, as there are dozens and dozens of legal, insurance, accounting, and real estate. If you are in the services industry and have a web site, your firm and senior management need to address the numerous exposures that are associated with conducting business utilizing the Internet.
The traditional professional E&O/malpractice underwriters usually are not interested in the e-professional exposures because they extend beyond the historical brick and mortar of professional perils. Most E&O underwriters’ treaties do not address the bulk of Internet exposures.
When addressing the e-professional exposures of an Internet services firm, one must consider a number of important insurance coverages. One of the largest areas of concern is the “contextual” liability that arises from the errors and omissions that exist in the web site text. Contingent bodily injury and property damage now become a real concern, for example: a content provider ISP has a “health” page that provides “simple remedies” for everyday illnesses. However, because of an allergic reaction the “remedy” causes a worse injury. This scenario illustrates a contingent bodily injury that arose out of the site’s text (i.e.: contextual liability). Because “hacker/cracker” unauthorized access to web sites always leaves the possibilities that the text of web sites will be altered, this exposure should be addressed via insurance protection. Be sure that any insurance protection purchased covers employees (usually disgruntled when committing an unauthorized entry), and external including but not limited to competitors. Internal “cracking” (malicious activity vs. hacking which is prompted by an intellectual objective), is the most frequent, although cracking for anti-competitive and political statement purposes are growing rapidly.
The global nature of the Internet means that contextual liability has no boundaries and material posted on one’s web site can turn up anywhere in the world. Hence, because of the ease of the Internet the “problems” become international in seconds. In the brick and mortar environment E&O/ malpractice can often be minimized. This is not true in a quick and global Internet environment. With over 250 million people having Internet access and sharing information, what once was a contained problem can now become a disaster for a professional firm overnight.
From “Emerging Technologies Create New Liabilities for U.S. Businesses”, a recap from the 2003 E&O Symposium (July 2003).
Cyber insurance covers a wide range of events such as denial-of-service, hacking and computer virus attacks, as well as cases of identity theft and cyber-extortion. Over the last five years there had been an evolution in the availability and use of insurance to manage cyber-risks.
Bob Wice, underwriting manager, AIG eBusiness Risk Solutions, explained that the market had evolved from the late 1990’s when the Internet and dotcom companies like Amazon and Yahoo first realized the need for insurance coverage. Today, financial institutions, healthcare companies and wider corporate America are all looking to protect themselves from breaches of network security.
Chris Cotterell, vice president – insurance services, SafeOnline Ltd, said there is no doubt that non-technology companies are now much more aware of the potential liabilities arising from the use of technology.
The passage of new legislation like Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) has raised the level of awareness because the responsibility is now on companies and their directors to be legally compliant and protect corporate assets.
“In 2002 we saw more buyers coming into the market. Financial institutions were looking around for some sort of technology E&O cover and the market began to take off. 2003 has seen even more awareness among buyers of digital risks,” Cotterell said.
Despite the growth in exposures and in the specialist insurance products available, several panelists suggested that the market is not yet delivering exactly what buyers need to protect their business.
According to Joshua Gold, Esq. of Anderson Kill & Olick, a law firm which represents policyholders in dispute with insurers, the technology insurance market from a buyer’s perspective is tough.
Many buyers feel that the products being offered by insurers are not offering enough capacity for the premium. “We are hearing ‘I need something that is going to cover me for the big, big hit. $50 million to $100 million is what I need,’” Gold said.
Cotterell noted that the market is still developing, although he believed the underwriting community got smart about how to write large technology risks and is listening to feedback from policyholders about what they want in their policies.
“Companies with the expertise have gone on and done analyses and given underwriters a lot of ability to write the risk,” he said.
He also believes that as the smaller bricks and mortar companies with technology exposures grow their businesses and expand the coverages they buy, it would provide a lot of confidence to underwriters.
What changes have you seen in cyber coverage over the last 12 years?
What a great idea for a thread; thanks!
A few observations:
* In 2000, what we now call our Cyber/Privacy Insurance Market Survey was called e-Commerce Market Survey (and, that issue included a guest article by Peter Taffae, who you quoted above)
* The 2000 version was all about doing business over the Internet, and ignored users; if an insured didn’t accept credit cards, it wasn’t a buyer.
* Privacy? Breach Response? Social Media? We weren’t even thinking about them.
* It included 10 markets, a few of which were wholesalers
* The 2012 version includes 31 carriers
* Much if not most of the interest is in Privacy and Breach Response
* Breach Response value-added services are a key component of the product; managing their costs (and effectiveness) is a prime challenge for underwriters
* Cyber is spreading out into other policy offerings, including package (BOP) policies, professional liability (medmal), and Management Liability products.
* And it looks like there’s about $1 billion of premium (U.S.-sourced policies)
The future? More underwriting credits for effective preventative services, better understanding of the sources of claims, and more knowledgeable agents and brokers