ADMINISTRATIVE PITFALLS OF CYBER INSURANCE POLICIES
How a cyber policy can make insurance brokers
more vulnerable to costly mistakes
By Sandeep Deva
The first cyber insurance policy was written back in 1997. By popular account, it was developed for AIG and called an “internet security liability policy.” It was geared toward information technology companies in the business of managing the networks and systems of other businesses and consumers.
Since then, the internet and cyber capabilities have gotten far more sophisticated and complex, becoming a global communications force for how we work and play. At the same time, its vast expansion has opened the doors to significant risk when valuable data are stored and transferred digitally.
Cyber criminals are increasingly taking advantage of those vulnerabilities, with attacks like data breaches and ransomware rising sharply in sophistication and financial impact. Global cybercrime is projected to hit $8 trillion in 2023 and $10.5 trillion by 2025, according to eSentire’s 2022 Official Cybercrime Report.
Challenges of cyber insurance complexities
In response, cyber insurance has become more complex. Cyber policies have been far more in demand as cybercrime has escalated. As a specialized risk, cyber intrusions are excluded from traditional commercial general liability policies.
Moreover, insurers’ appetite for the risk is on the wane as cyber claims have skyrocketed. It’s resulted in more rigid underwriting requirements; capacity is tight. Lower limits are par for the course and premiums are a lot more costly; increases of 25% to 100% in 2023 are expected, according to a recent article in Risk Management magazine.
There’s a risk and cost for brokers, too.
Brokers today face a growing risk of E&O claims stemming from administrative error,
especially in an environment for cyber insurance that is undergoing substantial shifts.
The insurance industry overall has been slow to digitize, and that includes the brokerage business. But the pace is accelerating. One report by McKinsey and Company identified next-level process automation and virtualization ripe for impact across the industry; in fact, the consultancy found that 44% of brokerage work activities could potentially be automated.
Policy administration is one of those activities, and cyber policies are a prime example of the need to automate, because manual administration can be time consuming and costly.
The broker’s cost to manually administer a cyber policy can rise as dramatically as the premiums. Each policy, often running to hundreds of pages, must be checked for 100% accuracy before it is sent to the policyholder. Cyber is multi-faceted. No two policies are identical, as coverage can span third- and first-party, first-party coverage for computer program and electronic data expenses, and business interruption. Complicating things further is the complex legal language contained in the policy.
The process of manually checking a single policy for mistakes can take hours and involve comparison of a dozen documents to make sure that all the right information has been incorporated. The broker’s manual checking process can create backlogs stretching out for weeks if not months. Imagine the impact when an agency is confronted with hundreds of policies to check during a major renewal period.
Errors that brokers must deal with
Brokers need to be aware of four major types of errors that occur when they manually administer cyber policies:
- Policy and sourcing documents. The greatest risk with this facet of policy administration is missed information. If a policy fails to include electronic data limits and there is a loss, the carrier will refuse to honor the claim. This kind of error can cause the broker to incur a significant errors and omissions (E&O) claim.
Then there are the chances of mismatches due to simple typographical errors, which occur more commonly than you think. This administrative aspect entails a comparison of a final policy with its sourcing documents—such as carrier proposals, including quotes, the application, and the binder. A typographical error can cost the insured millions. Take a proposal that specifies a coverage limit of $1 million for a claim arising from electronic data, but the policy document inadvertently drops a single zero from one reference to a policy limit of $100,000. The majority of a claim will not be paid if the broker fails to discover the error.
Another common risk is failing to catch a mismatch in coverage between occurrence quotes and aggregate limit quotes, and the impact can be huge.
- “Named Insured” issues. Named insured complexities can also lead to manual policy administration errors. For example, a policy might list one named insured in one section that has a slightly different name in the second. There might also be incomplete information about the named insured. The policy might state the named insured as “ABC LLC” but lists the named insured as “ABC” or “ABC Inc.” elsewhere. Even worse is when a necessary reference to a named insured (e.g., a contractor) is inadvertently omitted. If that happens, the contractor would probably not be eligible for coverage in the event of a claim.
There’s even more potential for errors with “additional insureds,” though such issues are more commonly associated with general liability coverage. If a name is omitted from the list of additional insureds, particularly as a loss payee, then the additional insured isn’t eligible for coverage at all.
- Retentions and deductibles oversights. This is another category where mistakes can be costly.
For example, the sourcing document, like a quote, might state that the deductible for the coverage is $1,000 per occurrence on a policy, but the policy itself just states a $1,000 deductible, but neglects to include reference to the occurrence.
Another issue is when there is a conflict between the deductible amounts requested by the client (let’s say a $500 deductible) and what the carrier quoted ($1,000 per occurrence.) As premiums continue to escalate, the size of the deductible can be critical, especially as coverage limits change. And these kinds of changes are increasingly common in the current cyber insurance market.
- The omission of key forms from policy documents. Another over-sight that can result from manual policy administration is the omission of important forms. All those requested in the submission must be listed in the quote and the policy. For example, a submission might request an endorsement for electronic coverage in a commercial general liability (CGL) policy, but it’s not listed and attached to the policy. That endorsement must be attached to the policy.
Brokers today face a growing risk of E&O claims stemming from administrative error, especially in an environment for cyber insurance that is undergoing substantial shifts. Carriers are adding new exclusions and requirements. Ransomware requirements may change and cybersecurity requirements, as well. New, separate policies may be required for specific kinds of coverage.
Manual processing can catch many of these errors. But a single error in a policy can expose the broker and result in a big claim. It makes the case for brokers to adopt better policy management controls. And new technology alternatives pose a significant advantage over manual processing.
Sandeep Deva is vice president, product development for Exdion Solutions, an insurtech that partners with insurance agencies and brokers. Exdion delivers a suite of digitization tools and platforms that work in tandem with agency management systems cutting across new business generation, renewals, and compliance.