Tag Archives: cna

New Power Shift in P&C Insurance

P&C insurance carriers have witnessed a lot of changes in the past decade, but few have been as surprising as the shift of power currently taking place across the industry.

According to Dennis Chookaszian, the former CEO and chair of CNA, carriers maintain only 40% of profits today, representing a drop of 20 to 25 points from the 1960s. An equal share now goes to the distribution system, as carriers line up to acquire and maintain more customers.

What’s behind this shift in profitability can’t be summed up in a single word, but increasing competition, new market entrants, improving technology, changing customer expectations and continued consumer price sensitivity all play a role.

To remain competitive, carriers will need to gain more control over distribution, a goal that even Chookaszian admits will not be easy to achieve.

Why the Power-Shift Toward Distribution

In the mid-part of the last decade, insurance carriers required two primary competencies to operate: data and capital. Because neither was easy to acquire, competition was less robust, and incumbent carriers found greater profitability, taking in roughly two-thirds of insurance transaction profits.

Today, data is everywhere, and through the use of analytics, simpler than ever to understand and use. Capital is also easier to acquire, as is evidenced by the growing number of insurtech players in the industry. According to Willis Towers Watson, $2.3 billion was invested in new insurance tech companies in 2017.

According to Chookaszian, the core competency for insurers now lies in distribution and control of the customer.

“It’s become so competitive that the carriers basically are always out looking for new accounts,” Chookaszian says.

That means higher commissions are paid to agents as carriers battle it out for market share, resulting in shrinking margins.

“Given the shift in profitability to distribution, the carriers that will be better off will try to regain some control over distribution,” Chookaszian says.

Admittedly, that is not an easy thing to do. The agent enterprise is part and parcel of most insurance operations. Directly selling insurance to consumers will require insurers to set up their own distribution systems, while still supporting their vast networks of independent or captive agent forces.

See also: The Future of P&C Distribution  

Distribution Goes Digital

When Benjamin Franklin started the first successful U.S.-based insurance company in 1752, he was dealing with a localized Philadelphia population, but, by the end of the 18th century, citizens were moving westward, making it necessary for insurers to expand their distribution networks.

The Hartford made the first foray into direct distribution by offering insurance through the mail, but few consumers of the time were willing to give up the personal services of an agent when it came to purchasing something as critical as insurance. Carriers of the time faced a similar dilemma as carriers do today: how to acquire customers in a changing marketplace.

According to the J.D. Power 2018 US. Insurance Shopping Study, insurers are aggressively courting customers with new options and amenities as auto insurance rates remain stagnant and the number of consumers seeking coverage declines.

“We’re entering an era of consumer-centric insurance that will likely be marked by a surge in new digital offerings and serious efforts by insurers to improve the auto insurance shopping experience,” says Tom Super, director of the property and casualty insurance practice at J.D. Power.

This shift is happening across all lines of coverage, even small commercial.

While citizens on the new 17th-century frontier may have been hesitant to buy coverage without the guidance of an agent, many 21st-century buyers have no such qualms. Nearly half of consumers responding to a survey conducted by Clearsurance said that they would purchase an insurance policy online, while 65% believe this will be the primary channel for purchasing coverage within the next five years.

According to research conducted by Accenture, consumers are open to a number of new possibilities when it comes to buying the policies they need:

Power in the form of profits may have shifted to distribution, but consumers are making a power play of their own, demanding greater service and amenities and taking their business to the carrier most capable of meeting preferences and price points. In a world of shifting power, creating an active, online distribution channel puts more of the profit back into the carrier’s bottom line and allows it to attract more customers in three distinct ways.

Cutting Transaction Costs

According to a report from the Geneva Association, the leading international insurance think tank for strategically important insurance and risk management issues, 40% of P&C premiums are absorbed by transaction costs, leading to inflated policy pricing that drives away potential customers. PwC pegs distribution as a heavy culprit, reporting that 30% of the cost of an insurance product is eaten up in distribution.

On the other hand, Bain predicts that insurers could cut the cost of acquisition by as much as 43% through digitalization. Underwriting expenses could drop as much as 53%.

Reducing these costs allows insurers to present a more attractively priced product to consumers, an important consideration given that 50% of customers base their loyalty with an insurer on price.

To understand how costs are reduced through digital distribution, it helps to understand how a leading digital distribution platform works to raise efficiency. According to PwC, up to 80% of the underwriting process can be consumed by administrative tasks that require manual workarounds, such as re-entering information into multiple systems.

Much of this re-inputting of data is due to the siloed nature of insurers’ administration systems. Digital distribution platforms create a layer between the front-end online storefront, where customers enter application data, and the back-end systems used to store information.

As consumers enter their personal details into the online application, all back-end systems are populated automatically, eliminating the need for manual work-arounds. Everyone across the organization has the same view of the customer and access to any information that has been provided.

Digital platforms are also masters of straight-through processing, automating the quote-to-issue lifecycle and reducing the need for manual underwriting. By automatically quoting, binding and issuing routine policies, insurers reduce costs and also provide a more “informed basis for pricing and loss evaluation,” according to PwC.

As costs drop, insurers are also able to more competitively price insurance coverage. Lower prices win more customers allowing insurers to take back some of the profitability of distribution.

Improving Customer Experiences

When it comes to insurer-insured relationships, there is a gap between what consumers want and what insurers provide. Consumers rate the following points as very important aspects of the insurance buying experience:

  • Clear and easy information on policies
  • Access to information whenever it is needed
  • Ability to compare rates and switch plans
  • A wide range of services

But few consumers agree their insurer is meeting these expectations:

27% see clear and easy information on policies

29% report access to information whenever they need it

21% say there is the ability to compare rates and switch plans

24% see a wide range of services

The customer experience is becoming a key differentiator across the insurance industry. McKinsey reports two to four times higher growth and 30% higher profitability for insurers that provide best-in-class customer service, but here’s the rub. Only the top quartile of carriers fall into this category.

Becoming a customer experience leader requires insurers to understand that the separate functions associated with policy sales and distribution appear as a single journey to consumers. They expect to quote, bind and issue multiple policies through a single application, using as many channels as they feel necessary to get the job done.

While 80% of consumers touch a digital channel at least once during an insurance transaction, 45% of auto insurance shoppers use multiple channels when making a purchase. They expect to be recognized across these channels, picking up in one where they left off in another.

The multiple back-end systems employed by most insurers present a strategic dilemma here, as well as in the area of cost containment. Without transparency between channels, consumers are forced to restart a transaction every time they change their engagement method.

“It amounts to a great deal of frustration for the consumer,” says Tom Hammond, president U.S. operations, BOLT. “You start an application online and then call the customer-facing call center, and they can’t see what you did through the online storefront.”

Hammond explains that digital distribution needs to be omni-channel distribution, seamlessly integrated with a single view of the customer. It’s the only way to meet consumer experience expectations now and into the future.

Thanks to advances in analytics and artificial intelligence, the amount of data that is available to carriers has grown significantly, and consumers expect that information to be leveraged for their benefit. Eighty percent of consumers want personalized offers and pricing from their insurers.

Progressive is one of the 22% of carriers currently making strides to offer personalized, real-time digital services, having recently released HomeQuote Explorer. From an app or computer, consumers can enter information once and receive side-by-side comparisons from multiple homeowners insurance providers. According to the company, they leverage a network of home insurers to make sure customers can find the coverage they need at a comfortable price.

Oliver Lauer, head of architecture/head of IT innovation at Zurich, believes these collaborative networks are an integral part of the digital future of insurance.

“Digital innovation means you have to develop your insurance company to an open and digitally enabled platform that can interface with everybody every time in real time – from customers to brokers, to other insurers, but also to fintechs and insurtechs,” Lauer says.

Using a digitally enabled market network, insurers can fill product gaps and even meet customer needs when they don’t have an appetite for the risk. The premise is simple. By offering coverage from other insurers, they maintain the customer relationship and reap the rewards of loyalty.

As society changes and consumer needs evolve, the ability to personalize bundled coverage to the needs of the individual will become increasingly important. Consumers are now looking for coverage to mitigate risk in previously unheard-of areas, such as cyber security, identity theft and even activities related to legalized marijuana.

When an insurer is unable to provide the coverage a customer needs, it risks forfeiting that relationship, and any other policies bundled with it, to another carrier. But when the carrier takes part in a market network, it can bundle the appropriate coverage from another insurer with its own products, personalizing the coverage to better fit the needs of the customer.

See also: Key Strategic Initiatives in P&C  

Digital platforms offering market networks also set the stage for insurers to offer ancillary services, such as roadside assistance, that make their insurance products more attractive to consumers. We see this happening with increasing frequency as carriers seek to improve the customer experience and lift their acquisition efforts.

DMC Insurance, a provider of commercial transportation insurance solutions, recently announced a partnership with BlackBerry Radar. The venture would provide transportation companies with real-time data on vehicle location, as well as cargo-related information, such as temperature, humidity, door status and load state. Information like this will help companies better manage risk.

In the personal lines market, insurers are partnering to offer services that enhance the life of their customers. Allstate’s partnership with OpenBay allows consumers to review repair shops and schedule an appointment from an app. Allianz is helping home owners safeguard properties by partnering with Panasonic on sensors that monitor home functions and report issues. Customers can even schedule repairs through the service.

Digital Distribution Benefits All

J.D. Power reveals that digital insurers are winning the intense battle for market share in the insurance industry, starting a shift that could help level the profitability field between distributors and carriers. In a recent insurance shopper survey, overall satisfaction was six points higher for digital insurers over those that sell through independent agents. This lead grows to 12 points when compared with carriers with exclusive agents.

According to research by IDC, digital succeeds on the strength of its data. The ability to collect and analyze the vast stores of data available through these interactions, including such variables as the time of day the consumer shopped for coverage, the channel the consumer used, and stores of information collected from third-parties as part of the automated application process, provides the key to improved customer service.

“By analyzing this data, insurers can understand each customer’s lifestyle, behaviors and preferences in order to engage with them at the right time and place, offer personalized service and offers and more,” says Andy Hirst, vice president of banking solutions, SAP Banking Industry Business Unit.

As insurers create omni-channel engagement, they’re strengthening distribution from every angle, giving consumers the option to quote coverage online when it’s most convenient for them, and then buy it right then and there or to seamlessly call an agent to discuss their options and their risk.

Customer experience is rapidly becoming the foundation of success in the industry, and digital distribution provides the first link in building that base of core customer satisfaction. By providing consumers with multiple channels of engagement and the ability to meet more of their needs at any time, day or night, carriers are taking back the lead on profitability.

Claims Advocacy’s Biggest Opportunity

We know the single greatest roadblock to timely work injury recovery and controlling claim costs. And it’s not overpriced care, or doubtful medical provider quality or even litigation. It is the negative impact of personal expectations, behaviors and predicaments that can come with the injured worker or can grow out of work injury.

This suite of roadblocks is classified as “psychosocial” issues – issues that claims leaders now rank as the No. 1 barrier to successful claim outcomes, according to Rising Medical Solutions’ 2016 Workers’ Compensation Benchmarking Study survey.

Psychosocial roadblocks drive up claim costs far more than catastrophic claims, mostly due to delayed recovery, and claims executives told us they occur regardless of the nature of injury. In other words, one cannot predict from medical data the presence of a psychosocial issue; one has to listen to the injured worker with a fresh mind.

See also: Power of ‘Claims Advocacy’  

It’s likely no coincidence that, while the industry has progressively paid more attention to psychosocial issues this past decade, there’s also been a shift toward advocacy-based claims models over adversarial, compliance- and task-based processing styles. Simply put, advocacy models – which treat the worker as a whole person – are better equipped to control or eliminate psychosocial factors during recovery. According to the 2016 Benchmarking Study survey, claims advocacy and greater training in communication and soft skills, like empathy, are associated with higher-performing claims organizations.

Psychosocial – What It Is, What It Is Not

The Hartford’s medical director, Dr. Marcos Iglesias, says that the “psych” part does not mean psychiatric issues, such as schizophrenia, personality disorders or major depressive disorders. Instead, he points out, “We are talking about behavioral issues, the way we think, feel and act. An example is fear of physical movement, as it may worsen one’s impairment or cause pain, or fear of judgment by coworkers.”

The Hartford’s text mining has found the presence of “fear” in claim notes was predictive of poor outcomes. Similar findings were recently cited by both Lockton (“Leading with Empathy: How Data Analytics Uncovered Claimants’ Fears”) and the Workers’ Compensation Research Institute (“Predictors of Worker Outcomes”).

Emotional distress, such as catastrophic reaction to pain and activity avoidance, is predictive of poor outcomes. Other conditions, behaviors and predicaments include obesity, hard feelings about coworkers, troubled home life, the lack of temporary modified work assignments, limited English proficiency and – most commonly noted – poor coping skills. Additionally, being out of work can lead to increased rates of smoking, alcohol abuse, illicit drug use, risky sexual behavior and suicide.

When peeling back the psychosocial onion, one can see how adversarial, compliance- and task-driven claim styles are 1) ill-suited for addressing fears, beliefs, perceptions and poor coping skills and 2) less likely to effectively address these roadblocks due to the disruption they pose to workflows and task timelines.

Screening and the One Big Question

Albertsons, with more than 285,000 employees in retail food and related businesses, screens injured workers for psychosocial comorbidities. To ensure workers are comfortable and honest, the company enlists a third-party telephonic triage firm to perform screenings. “It’s voluntary and confidential in details, with only a summary score shared with claims adjusters and case managers,” says Denise Algire, the company’s director of risk initiatives and national medical director.

At The Hartford, Iglesias says claims adjusters ask one very important question of the injured worker, “Jim, when do you expect to return to work?” Any answer of less than 10 days indicates that the worker has good coping skills and that the risk of delayed recovery is low. That kind of answer is a positive flag for timely recovery. If the worker answers with a longer duration, the adjuster explores why the worker believes recovery will be more difficult. For example, the injured worker may identify a barrier of which the adjuster is unaware: His car may have been totaled in an accident. This lack of transportation, and not the injury, may be the return-to-work barrier.

It Takes a Village

Trecia Sigle, Nationwide Insurance’s new associate vice president of workers’ compensation claims, is building a specialized team to address psychosocial roadblocks. Nationwide’s intake process will consist of a combination of manual scoring and predictive modeling, and then adjusters will refer certain workers to specialists with the “right skill set.”

Albertsons invites screened injured workers to receive specialist intervention, usually performed by a network of psychologists who provide health coaching consistent with cognitive behavioral therapy (CBT) principles. This intervention method is short in duration and focuses on active problem-solving with the patient. The Hartford also transfers cases with important psychosocial issues to a specialist team, selected for their listening, empathy, communication skills and past claims experience.

Emotional Intelligence – Can It Be Learned?

Industry professionals are of mixed minds about how and if frontline claims adjusters can improve their interpersonal skills – sometimes called “emotional intelligence” – through training. These soft skills include customer service, communication, critical thinking, active listening and empathy. Experts interviewed agree that some claims adjusters have innately better soft skills. But they also concur that training and coaching can only enhance these skills among claims staff.

See also: The 2 Types of Claims Managers  

Pamela Highsmith-Johnson, national director of case management at CNA, says the insurer introduced a “trusted adviser” training program for all employees who come into contact with injured workers. Small groups use role-playing and share ideas. An online training component is also included.

Advocacy – The Missing Link to Recovery

Could it be that advocacy – treating the injured worker as a whole person and customer at the center of a claim – is the “missing link” for many existing claim practices to work, or work better? Whether for psychosocial issues or other barriers, organizations like The Hartford, Nationwide, CNA and Albertsons are paving the road to a more effective approach for overcoming pervasive barriers to recovery. Participants in the 2016 Workers’ Compensation Benchmarking Study confirm that higher-performing claims organizations are taking this road.

The coming 2017 study will continue to survey claims leaders on advocacy topics. A copy of that report may be pre-ordered here.

5 Tips for Success in Cyber Litigation

Many insurance coverage disputes can be, should be and are settled without the need for litigation and its attendant costs and distractions. However, some disputes cannot be settled, and organizations are compelled to resort to courts or other tribunals to obtain the coverage they paid for, or, with increasing frequency, they are pulled into proceedings by insurers seeking to preemptively avoid coverage. As illustrated by CNA’s recently filed coverage action against its insured in Columbia Casualty Company v. Cottage Health System, in which CNA seeks to avoid coverage for a data breach class action lawsuit and related regulatory investigation, cyber insurance coverage litigation is coming. And in the wake of a data breach or other privacy, cybersecurity, or data protection-related incident, organizations regrettably should anticipate that their cyber insurer may deny coverage for a resulting claim against the policy.

Before a claim arises, organizations are encouraged to negotiate and place the best possible coverage to decrease the likelihood of a coverage denial and litigation. In contrast to many other types of commercial insurance policies, cyber insurance policies are extremely negotiable, and the insurers’ off-the-shelf forms typically can be significantly negotiated and improved for no increase in premium. A well-drafted policy will reduce the likelihood that an insurer will be able to successfully avoid or limit insurance coverage in the event of a claim.

Even where a solid insurance policy is in place, however, and there is a good claim for coverage under the policy language and applicable law, insurers can and do deny coverage. In these and other instances, litigation presents the only method of obtaining or maximizing coverage for a claim.

When facing coverage litigation, organizations are advised to consider the following five strategies for success:

1. Tell a Concise, Compelling Story

In complex insurance coverage litigation, there are many moving parts, and the issues are typically nuanced. It is critical, however, that these complex issues come across to a judge, jury or arbitrator as relatively simple and straightforward. Getting overly caught up in the weeds of policy interpretive and legal issues, particularly at the outset, risks losing the organization’s critical audience and obfuscating a winningly concise, compelling story that is easy to understand, follow and sympathize with. Boiled down to its essence, the story may be—and in this context often is—something as simple as:

“They promised to protect us from a cyber breach if we paid the insurance premium. We paid the premium. They broke their promise.”

2. Place the Story in the Right Context

It is critical to place the story in the proper context because, unfortunately, many insurers in this space, whether by negligent deficit or deliberate design, are selling products that do not reflect the reality of e-commerce and its risks. Many off-the-shelf cyber insurance policies, for example, limit the scope of coverage to only the insured’s own acts and omissions, or only to incidents that affect the insured’s network. Others contain broadly worded, open- ended exclusions like the one at issue in the Columbia Casualty case, which insurers may argue, as CNA argues, can vaporize the coverage ostensibly provided under the policy. These types of exclusions invite litigation and, if enforced literally, can be acutely problematic. There are myriad other traps in cyber insurance policies—even more in those that are not carefully negotiated—that may allow insurers to avoid coverage if the language were applied literally.

If the context is carefully framed and explained, however, judges, juries and arbitrators should be inhospitable to the various “gotcha” traps in these policies. Taking the Columbia Casualty case as an example, the insurer, CNA, relies principally upon an exclusion, titled “Failure to Follow Minimum Required Practices.” As quoted by CNA in its complaint, the exclusion purports to void coverage if the insured fails to “continuously implement” certain aspects of computer security. In this context, however, given the extreme complexity of cybersecurity and data protection, any insured can reasonably be expected to make mistakes in implementing security. This reality is, in fact, a principal reason for purchasing cyber liability coverage in the first place. Indeed, CNA represents in its marketing materials that the policy at issue in Columbia Casualty offers “exceptional first- and third-party cyber liability coverage to address a broad range of exposures,” including “security breaches” and “mistakes”:

“CNA NetProtect fills the gaps by offering exceptional first- and third-party cyber liability coverage to address a broad range of exposures. CNA NetProtect covers insureds for exposures that include security breaches, mistakes and unauthorized employee acts, virus attacks, hacking, identity theft or private information loss, and infringing or disparaging content. CNA NetProtect coverage is worldwide, claims-made with limits up to $10 million.”

It is important to use the discovery phase to fully flesh out the context of the insurance and the entire insurance transaction in addition to the meaning, intent and interpretation of the policy terms and conditions, claims handling and other matters of importance depending on the particular circumstances of the coverage action.

3. Secure the Best Potential Venue and Choice of Law

One of the first and most critical decisions that an organization contemplating insurance coverage litigation must make is the appropriate forum for the litigation. This decision, which may be affected by whether the policy contains a forum selection clause, can be critical to potential success. Among other reasons, the choice of forum may have a significant impact on the related choice-of-law issue, which in some cases determines the outcome. Insurance contracts are interpreted according to state law, and the various state courts diverge widely on issues surrounding insurance coverage. Until the governing law applicable to an insurance contract is established, the policy can be, in a figurative and yet a very real sense, a blank piece of paper. The different interpretations given the same language from one state to the next can mean the difference between a coverage victory and a loss. It is therefore critical to undertake a careful choice-of-law analysis before initiating coverage litigation, selecting a venue or, where the insurer files first, taking a choice-of-law position or deciding whether to challenge the insurer’s selected forum.

4. Consider Bringing in Other Carriers

Often, when there is a cybersecurity, privacy or data protection-related issue, more than one insurance policy may be triggered. For example, a data breach like Target’s may implicate an organization’s cyber insurance, commercial general liability (CGL) insurance and directors’ and officers’ liability insurance. To the extent that insurers on different lines of coverage have denied coverage, it may be beneficial for the organization to have those insurance carriers pointing the finger at each other throughout the insurance coverage proceedings.

A judge, arbitrator or jury may find it offensive if an organization’s CGL insurer is arguing, on the one hand, that a data breach is not covered because of a new exclusion in the CGL policy and the organization’s cyber insurer also is arguing that the breach is not covered under the cyber policy that was purchased to fill the “gap” in coverage created by the CGL policy exclusion. It is also important to carefully consider the best strategy to maximize the potentially available coverage across the insured’s entire insurance portfolio and each triggered policy.

5. Retain Counsel With Cyber Insurance Expertise

Cyber insurance is unlike any other line of coverage. There is no standardization. Each of the hundreds of products in the marketplace has its own insurer-drafted terms and conditions that vary dramatically from insurer to insurer—and even between policies underwritten by the same insurer. Obtaining coverage litigation counsel with substantial cyber insurance expertise will assist an organization on a number of fronts.

Importantly, it will give the organization unique access to compelling arguments based upon the context, history, evolution and intent of this line of insurance product. Likewise, during the discovery phase, coverage counsel with unique knowledge and experience is positioned to ask for and obtain the particular information and evidence that can make or break the case—and will be able to do so in a relatively efficient manner. In addition to creating solid ammunition for trial, effective discovery often leads to successful summary judgment rulings, which, at a minimum, streamline the case in a cost-effective manner and limit the issues that ultimately go to a jury.

Likewise, counsel familiar with all of the many different insurer-drafted forms as they have evolved over time will give the organization key access to arguments based upon both obvious and subtle differences among the many different policy wordings, including the particular language in the organization’s policy. Often in coverage disputes, the multimillion-dollar result comes down to a few words, the sequence of a few words, or even the position of a comma or other punctuation.

Following these five strategies and refusing to take “no” for an answer will increase the odds of securing valuable coverage.

The Devil Is in the Details of Cyber

There’s a tempest amid the recent spring shower of cyber insurance cases. It isn’t the Recall Total case,[1] or the Travelers v. Federal Recovery Services case reported the week before.[2] Although those two cases have garnered a great deal of media and other attention from those seeking, and seeking to provide, guidance surrounding insurance coverage for cybersecurity and data privacy-related liability, those cases are, by and large, relatively insignificant.

The tempest case is Columbia Casualty Company v. Cottage Health System.[3] In Columbia Casualty, CNA’s non-admitted insurer, Columbia Casualty, seeks to avoid coverage under a cyber insurance policy for the defense and settlement of a data breach class action lawsuit. This is one of the first cyber/data privacy disputes under a cyber insurance policy that has resulted in litigation.

Columbia Casualty warrants close attention by any organization that currently purchases, or is considering purchasing, cyber insurance, as well as by those insurance intermediaries, outside coverage counsel and other parties who seek to capably assist organizations in this complex area. Irrespective of the ultimate merits of CNA’s coverage positions, Columbia Casualty illustrates that the devil is in the details when placing cyber insurance coverage. Although this type of coverage can be extremely valuable, and is likely to soon become a nondiscretionary purchase for many, if not most, organizations, it is particularly challenging to place successfully.

Below is a factual summary of the Columbia Casualty case, a summary of the coverage issues and some takeaway thoughts for avoiding the two important potential coverage issues highlighted by the case: (1) broad exclusions relating to cybersecurity/data protection practices and (2) the misrepresentation defense.

The Facts

Underlying Data Breach Litigation and Regulatory Investigation

Columbia Casualty arises out of a data breach incident that resulted in the release of private electronic healthcare patient information stored on network servers owned, maintained or used by the insured, Cottage Health System (Cottage).[4]

In the wake of the breach, Cottage faced a putative class action lawsuit alleging that “the confidential medical records of approximately 32,500 patients at the hospitals affiliated with [Cottage] were negligently disclosed and released to the public on the Internet.”[5] The lawsuit sought damages for alleged violation of California’s Confidentiality of Medical Information Act.[6]

The lawsuit settled in April 2015 for $4.1 million.[7] Cottage’s cyber insurer, CNA, funded the settlement pursuant to a reservation of rights.[8]

Following the settlement of the data breach lawsuit, CNA filed its coverage litigation, in which CNA seeks declarations of non-coverage. In particular, CNA seeks declarations both that it: (1) “is not obligated to provide Cottage with a defense or indemnification in connection with any and all claims stemming from the data breach,”[9] and (2) is entitled “to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses … in connection with the defense and settlement of the class action lawsuit and any related proceedings.”[10]

The Cyber Insurance Policy

CNA issued to Cottage its NetProtect360 cyber insurance policy with limits of $10 million.[11] The policy provides coverage for, among other things, “privacy injury claims.”[12]   Based on CNA’s complaint, there is no dispute as to whether the data breach lawsuit triggers the policy coverage. Those familiar with the off-the-shelf NetProtect360 policy form likely would agree that it does. And CNA does not allege otherwise.

The Coverage Issues

CNA denies coverage for the defense and settlement of the data breach lawsuit on two principal bases, which are discussed in turn.

Exclusion for “Failure to Follow Minimum Required Practices”

CNA relies upon an exclusion in the NetProtect360 policy, titled “Failure to Follow Minimum Required Practices,” which states:

Whether in connection with any First Party Coverage or any Liability Coverage, the Insurer shall not be liable to pay any Loss:

  • Failure to Follow Minimum Required Practices based upon, directly or indirectly arising out of, or in any way involving:
  • Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing;…[13]

Citing this exclusion, CNA alleges that coverage is precluded because its insured purported to do certain things relating to various aspects of network and computer security. In particular, CNA alleges that its insured failed to “continuously implement the procedures and risk controls identified in its application,” to “regularly check and maintain security patches on its systems” and to “enhance risk controls,” among a host of “other things”:

  1. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused as a result of File Transfer Protocol[14] settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine.
  2. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to continuously implement the procedures and risk controls identified in its application, including, but not limited to, its failure to replace factory default settings, its failure to ensure that its information security systems were securely configured, among other things.
  3. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network to ensure it remains secure, among other things.
  4. Accordingly, Columbia is entitled to a declaration that it is not obligated to defend or indemnify Cottage in connection with the Underlying Action or the DOJ Proceeding and that coverage for the claims and potential damages at issue in the Underlying Action and the DOJ Proceeding is precluded pursuant to the Columbia Policy’s Failure to Follow Minimum Required Practices” exclusion.[15]

CNA does not allege that its insured acted willfully, that it acted recklessly or even that it was grossly negligent.

The Misrepresentation Defense

In support of its misrepresentation defense, CNA relies principally upon the policy “Application” condition in the policy, which states, among other things, that the insurance policy “shall be null and void if the Application contains any misrepresentation or omission … which materially affects either the acceptance of the risk”:

  1. Application
  • The Insureds represent and acknowledge that the statements contained on the Declarations and in the Application, and any materials submitted or required to be submitted therewith (all of which shall be maintained on file by the Insurer and be deemed attached to and incorporated into this Policy as if physically attached), are the Insured’s representations, are true and: (i) are the basis of this Policy and are to be considered as incorporated into and constituting a part of this Policy; and (ii) shall be deemed material to the acceptance of this risk or the hazard assumed by the Insurer under this Policy. This Policy is issued in reliance upon the truth of such representations.
  • This Policy shall be null and void if the Application contains any misrepresentation or omission:
  • made with the intent to deceive, or
  • which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.[16]

Citing this condition, CNA alleges that it is entitled to a declaration of non-coverage because its insured’s “application for coverage … contained misrepresentations and/or omissions of material fact” relating to its purported “failure to maintain the risk controls identified in its application”:

  1. The Columbia Policy’s “Application” condition provides that the Columbia Policy “shall be null and void if the Application contains any misrepresentation or omission: a. made with the intent to deceive, or b. which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.”
  2. The Columbia Policy’s “Minimum Required Practices” condition provides that, as a “condition precedent to coverage,” Cottage warrants that it shall “maintain all risk controls identified in the Insured’s Application and any supplemental information provided by the Insured in conjunction with Insured’s Application for this Policy.”
  3. Upon information and belief, Cottage’s application for coverage under the Columbia Policy contained misrepresentations and/or omissions of material fact that were made negligently or with intent to deceive concerning Cottage’s data breach risk controls.
  4. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to maintain the risk controls identified in its application, including, but not limited to, its failure to replace factory default settings to ensure that its information security systems were securely configured.
  5. Accordingly, Columbia is entitled to a declaration that it is not obligated to defend or indemnify Cottage in connection with the Underlying Action or the DOJ Proceeding based on Cottage’s breaches of the Columbia Policy’s “Application” and “Minimum Required Practices” conditions.[17]

Again, note that CNA seeks to avoid coverage even to the extent its insured’s alleged misrepresentations or omissions “were made negligently.”

The Takeaway Tips

  1. Beware Of Broadly Worded Cybersecurity/Data Protection Exclusions

The California Court in Columbia Casualty should reject outright CNA’s attempt to avoid coverage based on a ridiculously broadly worded, open-ended exclusion, which, if enforced literally as interpreted by CNA, would largely, if not entirely, vaporize the coverage that CNA sold under the NetProtect360 policy. For starters, exclusions are to be read narrowly against CNA under established rules of insurance policy construction,[18] and broad exclusions that would render coverage illusory are not permitted in California[19] or elsewhere.[20] Nor is the exclusion, as interpreted by CNA, consistent with an insured’s reasonable expectations concerning the coverage afforded under the NetProtect360 policy,[21] which, as represented by CNA in its marketing materials, offers “exceptional first- and third-party cyber liability coverage to address a broad range of exposures,” including “security breaches” and “mistakes”:

Cyber Liability and CNA NetProtect Products

CNA NetProtect fills the gaps by offering exceptional first- and third-party cyber liability coverage to address a broad range of exposures. CNA NetProtect covers insureds for exposures that include security breaches, mistakes and unauthorized employee acts, virus attacks, hacking, identity theft or private information loss and infringing or disparaging content. CNA NetProtect coverage is worldwide, claims-made with limits up to $10 million.[22]

To be sure, the fact that any insured reasonably can be expected to make mistakes, i.e., to be negligent, in the complex areas of cybersecurity and data protection is a principal reason for purchasing cyber liability coverage.

Putting aside the merits of CNA’s contentions, the type of “Failure to Follow Minimum Required Practices” exclusion found in the off-the-shelf NetProtect360 is regrettably common, and, as the Columbia Casualty illustrates, may be read by insurers to significantly undermine, if not completely vitiate, coverage, requiring insureds to become engaged in coverage litigation as a predicate to obtaining coverage.

The good news is that, although certain types of exclusions are unrealistic given the nature of the risk an insured is attempting to insure against, cyber insurance policies are highly negotiable. It is possible to cripple inappropriate exclusions by appropriately curtailing them, or to entirely eliminate them — and often this does not cost additional premium.

  1. Guard Against a Misrepresentation Defense

We have seen it in the D&O context for years, and it’s coming to cyber: the insurer’s misrepresentation/concealment defense. Provisions like the ones that CNA relies upon in Columbia Casualty are contained in some form in the majority of insurance applications and policies. And, while certainly not unique to cyber insurance, these types of provisions can be more troubling in the cyber context because of the subject matter being insured. Cyber insurance applications can, and usually do, contain myriad questions concerning an organization’s cybersecurity and data protection practices, seeking detailed information surrounding technical, complex subject matter. These questions are often answered by technical specialists, moreover, that may not appreciate the nuances and idiosyncrasies of insurance coverage law, such as the fact that, depending upon applicable law, there is a risk that an unintentional misrepresentation may suffice to allow an insurer to deny coverage.[23]  So what can be done? One line of attack is to negotiate significantly better policy terms relating to the application and misrepresentation. Another worthwhile strategy is to have coverage counsel involved in the application process. It often makes sense for coverage counsel to engage outside computer security consultants to assist with the application process. The application process can be valuable, shining a spotlight on current cybersecurity risk management practices that may reveal potential weaknesses that should be addressed. But, clearly, managing the process with an eye toward potential future claims is advisable. The CNA case illustrates the importance of embracing a cohesive, team approach and being mindful of potential future coverage disputes when placing this type of coverage.

 

[1] Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., — A.3d —-, 2015 WL 2371957 (Conn. May 26, 2015).

[2] Travelers Prop. Cas. Co. of Am., et al. v. Federal Recovery Servs., Inc., et al., No. 2:14-CV-170 TS (D. Utah May 11, 2015)).

[3] No. 2:15-cv-03432 (C.D. Cal.) (filed May 7, 2015).

[4] See CNA Complaint For Declaratory Judgment And Reimbursement, ¶¶2-3. Cottage operates a network of hospitals located in Southern California. See id.

[5] Kenneth Rice, et al. v. INSYNC, Cottage Health Sys., et al., Case No. 30-2014-00701147-CU-NP-CJC (Ca. Super. Ct. Jan. 27, 2014), ¶1.

[6] Id. ¶¶68, 80.

According to CNA’s complaint, Cottage also faces an ongoing investigation by the California Department of Justice regarding potential HIPAA violations. See Complaint For Declaratory Judgment And Reimbursement, ¶¶6, 22. In its declaratory judgment action, CNA also disclaims coverage for this proceeding. See CNA Complaint For Declaratory Judgment And Reimbursement, ¶¶46-49.

[7] See Order Granting Final Approval of Proposed Class Action Settlement and Judgment (Apr. 15, 2015), Findings in Support of Final Settlement Approval ¶2.B.; see also Class Action Settlement And Release Agreement, § 3.1.

[8] See CNA Complaint For Declaratory Judgment And Reimbursement, ¶5.

[9] Id. ¶8.

[10] Id. ¶9.

[11] Id. ¶22-23.

[12] Id. ¶25.

[13] Id. ¶26. A separate policy “condition” states as follows:

  1. Minimum Required Practices

The Insured warrants, as a condition precedent to coverage under this Policy, that is shall:

  1. follow the Minimum Required Practices that are listed in the Minimum Required Practices endorsement as a condition of coverage under this policy, and
  2. maintain all risk controls identified in the Insured’s Application and any supplemental information provided by the Insured in conjunction with Insured’s Application for this Policy.

Id. ¶27.

[14] This is used to transfer files between computers on a network.

[15] Id. ¶¶41-44 (footnote reference and emphasis added).

[16] Id. ¶27. CNA also cites to a “Warranty” provision in the insurance application, stating as follows:

Applicant hereby declares after inquiry, that the information contained herein and in any supplemental applications or forms required hereby, are true, accurate and complete, and that no material facts have been suppressed or misstated. Applicant acknowledges a continuing obligation to report to the CNA Company to whom this Application is made (“the Company”) as soon as practicable any material changes…all such information, after signing the application and prior to issuance of this policy, and acknowledges that the Company shall have the right to withdraw or modify any outstanding quotations and/or authorization or agreement to bind the insurance based upon such changes.

Further, Applicant understands and acknowledges that:

2) If a policy is issued, the Company will have relied upon, as representations, this application, any supplemental applications and any other statements furnished to this Company in conjunction with this application.

3) All supplemental applications, statements and other materials furnished to the Company in conjunction with this application are hereby incorporated by reference into this application and made a part thereof.

4) This application will be the basis of the contract and will be incorporated by referenced into and made a part of such policy.

Id. ¶31.

[17] Id. ¶¶51-55 (emphasis added).

[18] See, e.g.,. 2 Couch on Insurance § 22:31 (“the rule is that, such terms are strictly construed against the insurer where they are of uncertain import or reasonably susceptible of a double construction, or negate coverage provided elsewhere in the policy”); see also 17A Couch on Insurance § 254:12 (“The insurer bears the burden of proving the applicability of policy exclusions and limitations or other types of affirmative defenses.”).

[19] See, e.g., Armstrong World Indus., Inc. v. Aetna Cas. & Sur. Co., 52 Cal. Rptr. 2d 690, 705 (Cal. Ct. App. 1996) (rejecting the insurers’ approach where “the insurers’ approach would essentially render the asbestos manufacturers’ insurance coverage illusory”).

[20] See, e.g., Allan D. Windt, 2 Insurance Claims and Disputes § 6:2 (6th ed. updated Mar. 2015) (“a court will not allow an exclusion to eliminate coverage that is expressly and specifically provided for in the same policy form. More generally stated, a policy will not be interpreted to create illusory coverage. For example, in the context of analyzing the absolute pollution exclusion, discussed in § 11:11, some courts have refused to apply the exclusion as written based upon what was, in effect, the conclusion that the exclusion would cause the coverage to be illusory.”).

[21] See, e.g., 2 Couch on Insurance § 22:11 (“the rule is that the objectively reasonable expectations of applicants and intended beneficiaries regarding the terms of insurance contracts will be honored even though a painstaking study of the insurance provisions would have negated those expectations”).

[22] https://www.cnapro.com/html/Our_Products/OurProducts_CNANetProtect.html

[23]See, e.g., Rafi v. Rutgers Cas. Ins. Co., 872 N.Y.S.2d 799 (N.Y. App. Div. 2009) (“although misrepresentations made by an insured must be material, they may be innocently or unintentionally made”).

Six Key Insurance Business Impacts From Analytics

Recently, I had the privilege of serving as chairman of the inaugural Insurance for Analytics USA conference in Chicago, which was very well organized by Data Driven Business, part of FC Business Intelligence. I am convinced that analytics is not only one of the most valuable and promising technology disciplines to ever find its way into the insurance industry ecosystem, but that its very adoption clearly identifies those carriers – and their information technology partners – that will be the most innovative.

Analytics has exceptionally broad enterprise potential, with the ability to permanently change the way carriers think and conduct their business. The future of analytics is even more promising than most can imagine.

The conference — where the excitement was palpable — showed the sheer diversity of carrier types and sizes as well as the many different operational areas in which analytics is being used to drive insight, business outcomes and innovation and create real competitive differentiation. From large carriers such as Chubb, Sun Life, Nationwide, American Family, CNA and CSAA, to smaller insurers including Fireman's Fund, Pacific Specialty, Great American, Westfield, National General and Houston Casualty, presentations demonstrated how broadly analytics should be applied through every function and every level of the organization. Presentations from information technology provider types including Dun & Bradstreet, L&T InfoTech, Fractal Analytics, Megaputer, EagleEye Analytics, Clarity Solutions Group, Dataguise, Quadrant, Actionable Analytics, Earley & Associates and DataDNA laid out the future potential.

Recent research shows that one major application of analytics — predictive modeling — is getting attention in pricing and rating, where more than 80% of carriers use it regularly. However, only about 50% use it today in underwriting, and fewer than 30% do so in reserving, claims and marketing.

Based on information shared during the conference, there are six major thrusts to the analytics trend:

• Analytics liberates and democratizes data, which in turn ignites innovation and change within carriers.

• Analytics is uniting insurance organizations, breaking down information silos and creating collaboration between operating units, even as enterprise data governance policies and practices emerge.

• Investment and M&A activity in information technology companies in data and analytics is surging and will create even greater disruption and innovation as more entrepreneurial thinkers continue blending art with science.

• New “as-a-service” pay-per-use models for delivery and pricing are emerging for software (SaaS) and data (DaaS), which will be appealing and cost-effective, especially for mid-tier and smaller carriers.

• Analytics is driving innovation in products, business processes, markets, competition and business models.

• Carriers will have to innovate or surrender market share and should watch for competition from new players, such as Google and Amazon, which understand data, the cloud, innovation and consumer engagement.

This article first appeared on Insurance & Technology