THE GROWING E&O RISK FOR AGENTS IN CYBER

October 20, 2022

IN AN EVOLVING MARKET, THE RISKS AGENTS FACE
ARE CHANGING QUICKLY, TOO

By Bill Haber, Published in Rough Notes September 30, 2022

In its February 2022 issue, Rough Notes ran a piece by Joe Harrington on E&O challenges facing agents. The article focused mostly on the pandemic, but it also touched on the rise of cyber exposure. It noted that cybersecurity risk and cyber insurance coverage may be “the fastest-growing E&O exposures for agents and brokers in all sectors.”

Harrington’s reporting provides a good jumping-off point for further examination of this looming liability issue for agents who sell stand-alone cyber insurance or business packages that provide some type of cyber coverage. Just as cyber is a constantly evolving market, the risks agents face in selling these coverages are quickly changing, as well.

While some agents and brokers are very knowledgeable about technology and cybersecurity risk, most are not. Nor, in my opinion, should carriers and MGAs expect them to be. Yet, the way cyber coverage is sold today puts agents in danger of becoming the fall guy in the event of a cyber liability lawsuit.

Consider these aspects of the current cyber market:

• More demands are being placed on agents and brokers to become cyber experts. Carriers are sponsoring “cyber academies” that provide training to agents on the principles of cyber risk. A little bit of knowledge can be dangerous, though. Are agents really able to protect their clients from the latest cyber threats and validate their loss controls after just a few learning sessions?
• Insureds rely on their agents and brokers to help them fill out increasingly complicated cyber insurance applications. In their attempt to better underwrite cyber risk, carriers have made the application process an ordeal. Clients are confused and frustrated by the questions, and agents are left in a position of advising them in areas where they may have very little expertise. If an incorrect response results in the failure to bring a claim, is this claims advocacy?
• Agents find themselves counseling clients on the types of cyber controls they need in order to get coverage. This sets them up for making mistakes, overlooking critical security risks and making inappropriate technology recommendations—essentially exposing them to expensive E&O claims. How does this improve client relationships?
• E&O liability increases whenever agents and brokers represent themselves as an expert or the client views them as an expert or specialist. The agent must meet a higher “duty of care,” which typically agents aren’t subject to if the client determines for themselves the scope of coverage required, the amount of premium they are willing to pay, and how much they will self-insure.
• Cyber liability lawsuits can cost hundreds of millions of dollars. Perhaps the most expensive case to date is the $1.4 billion lawsuit Merck won against its insurer, ACE American, which denied coverage for the malware known as NotPetya. Agents need to arm themselves with sufficient E&O coverage to protect against a major loss if they are held liable for errors made in the sale of cyber insurance. Most E&O claims come down to not providing the client with enough coverage or the right coverage—two areas where cyber can be very tricky since it’s continually adapting to new threats.

With premiums skyrocketing and more businesses being declined,
it’s critical to get cyber submissions right.

Pushing the boundaries of agent expertise

Cybersecurity is a field that requires extensive experience and training. Security professionals are constantly scrambling to safeguard systems in response to increasingly sophisticated attacks. It’s a field, too, that has a complex body of regulations that organizations must comply with. It’s tough to keep up, even for someone who works in cybersecurity full-time.

If you’re an agent, ask yourself these questions:

• Am I trained and qualified to diagnose cyber risks?
• Am I familiar with the wide variety of cybersecurity mitigation techniques?
• Do I have intimate knowledge of the various cybersecurity solutions available to businesses, and which ones are appropriate for my clients?
• Do I know what kind of technology my clients have? Do I know their specific compliance obligations?
• Do I know how vulnerable my clients’ systems are to threats?
• Do I know and can I validate what cybersecurity controls my clients have in place to protect data, secure log-in credentials, and prevent phishing and ransomware attacks?
• Do I know if my clients have instituted a cybersecurity culture? How committed are their CEOs and leadership to cybersecurity?

The answer to most of the above questions is likely to be “no.” Yet, clients are relying on their agents to help them identify and reduce their cyber-risk exposure. This is a tall order; and, frankly, it shouldn’t be the agent’s job.

Rather, the agent’s responsibility is to understand the insurance market—to know which carriers are offering coverage, what their policies contain, the limits and conditions on those policies, and how much they will cost.

Every day, agents are making recommendations to clients based on limited cybersecurity knowledge and an incomplete understanding of the client’s threat environment. If the client gets hit with a data breach, a forensics analysis will likely determine where mistakes were made. If it was a coverage that wasn’t mentioned by the agent, it’s the agent who’ll be blamed. If there are massive losses, it’s going to be a huge E&O problem.

Third-party independent assessments are key

There isn’t any doubt that agents and brokers need to protect themselves from cyber liability. But how? A good first step is to require an independent assessment of the insured’s vulnerabilities and cybersecurity controls.

Let the agent focus on policy language and the differences between carriers. Then seek third-party expertise, whether it’s a managed security service provider or some other knowledgeable source, to assist in the application process.

If you look at the security industry and how it engages with clients, it’s always through assessments done by professionals. Why shouldn’t it be that way for cyber insurance?

For large policies, there’s already an expectation that the insured will have a third-party assessment. But for small to mid-sized businesses, this generally isn’t the case. That’s unfortunate because all types and sizes of business can fall victim to cyber crime.

With premiums skyrocketing and more businesses being declined because they don’t have the appropriate controls, it’s critical to get cyber submissions right. Today, a firm’s security risk profile may be more important than its Dun & Bradstreet report. Their ability to do business depends on their responsible stewardship of data and being able to get cyber coverage.

It starts with the acknowledgement that assessing technology risk requires specialized expertise. That can range from security auditors for a large company to a less-expensive service for a mom-and-pop business.

At a minimum, a quick, standards-based risk assessment should be part of the process. These independent assessments should replace, or at least accompany, policy applications. And because it’s so hard right now to get cyber insurance, a submission should include a credible document that reflects a professional having been consulted—similar to a CPA’s letter accompanying a financial report.

In short, we need to come up with a better way of matching true client risks with true solutions. If we’re relying on busy insurance professionals to advise their clients, something’s bound to get missed. That’s not good for the client, and it puts the agent at risk for an expensive E&O claim.