Today, extortion is rapidly expanding beyond human kidnapping, and extortion insurance coverage is expanding along with it. Agents and brokers need to understand provisions in policies that address the exposures.

In confidence, but how strict?

By Joseph S. Harrington, CPCU

If you don’t want to become a victim of extortion, it’s wise not to tell people you have money to pay ransoms. And if that ransom money comes from an insurance policy, it may not be available if you tell anyone about it. Loose lips can sink ships and, perhaps, void certain insurance coverage.

In recent decades, “kidnap, ransom, and extortion” (KR&E) insurance has become a common element of commercial insurance packages, especially for large organizations with global operations. In general, KR&E insurance covers costs for search and rescue, expert negotiators, and ransom payments in the event key people are held hostage for ransom.

In 2002, the Insurance Services Office (ISO), the largest advisory organization serving the U.S. property/casualty insurance industry, introduced the first standard KR&E policy forms in the U.S. Among other things, the forms included a “confidentiality” provision. Today (after a 2012 revision of the program), that provision reads as follows:

“You and every ‘insured person’ must make every reasonable effort not to divulge the existence of this insurance.”[i]

Essentially equivalent provisions are included in proprietary KR&E policies in the U.S. and around the world.

Intent and enforcement

Chadler Solutions, an independent agency based in Fairfield, N.J, explains that confidentiality KR&E provisions “[are] is designed to thwart employees from revealing to potential captors that they are insured. A large K&R insurance policy may make the employee a lucrative target.”[ii]

While the logic of intent is clear, the logic of enforcement is not.

Under confidentiality provisions, insureds are typically directed to use “every” or “all” reasonable means to prevent disclosure of KR&E coverage. But it Is not readily apparent what would constitute a breach of the provision, or what would happen if there was a breach.

Would coverage be voided if an officer casually discussed the coverage and the comments were picked up by someone with criminal intent? What if knowledge of the coverage was circulated carelessly, but played no role in an actual kidnapping?

Such questions should be mostly academic as long as KR&E insurance applies to humans.

An insurer would risk a huge legal, regulatory, market, and public relations backlash if it allowed an individual to languish in captivity because the coverage had been disclosed. It wouldn’t be much better to try to collect from a victim or his/her organization after the fact, unless there was strong evidence of fraud or gross negligence.

Spreading exposure

Today, however, extortion is rapidly expanding beyond human kidnapping, and extortion insurance coverage is expanding along with it.

In particular, “cyber” insurance policies now commonly provide coverage for losses arising from “ransomware,” coding maliciously implanted to paralyze or deny access to an organization’s data networks. Also, coverage for malicious product tampering by extortionists has become a common component of product recall insurance.

As with the danger of human kidnapping, one does not want to publicize that money is available to pay ransoms for cyber or product extortion. Therefore, confidentiality provisions modeled on those in KR&E policies are a standard part of cyber and product recall policies, but pose some unique challenges in enforcement.

Whereas KR&E coverage is typically provided through a stand-alone policy or a separate coverage part, extortion coverage in cyber and product recall policies is often incorporated with a series of other first- and (sometimes) third-party coverages.

In that context, it’s difficult to conceal existence of cyber/product recall extortion coverage without concealing the existence of the entire policy, especially as extortion coverage becomes a standard component of such policies.

Sharing among partners

Also, networked operations and product supply chains involve integrated collaboration among different organizations, each of which is often asked or required to provide evidence of insurance for critical functions, including coverage for cyber or product extortion.

To comply with such demands would typically be more than the law requires, thus technically violating confidentiality provisions that restrict permissible disclosure of coverage to “that required by law.”

The matter is further complicated by the manner in which confidentiality provisions are incorporated into policies covering multiple perils besides extortion.

In some cases, care has been taken to apply the confidentiality provision only to the specific coverage for extortion. In other cases, confidentiality provisions are incorporated in their entirety and technically apply to an entire policy, whether intentionally or not. Taken to a logical extreme, that could prevent essential communication with business partners about other types of coverage.

Responsibilities

Agents and brokers have clear responsibilities when it comes to coverage confidentiality:

• Review specific confidentiality provisions to determine the extent of their application (to one coverage or the entire policy);
• Contact carrier representatives to learn what type of policy disclosure is permissible, and to whom;
• At the same time, try to establish what might be regarded as a breach of the provisions, and what the consequences might be; and
• Point out confidentiality provisions and their potential implications to applicants and insureds.

In all, it may be best if carriers, producers, and risk managers work to isolate all extortion coverages into separate policies or coverage parts. It’s tricky enough to enforce coverage confidentiality. Entangling it with coverages that don’t need to be held confidential adds unnecessary complication.