Tag Archives: cyber exclusions

7 Predictions for IoT Impact on Insurance

We are at an inflection point. The internet is going from controlling information to controlling physical things, which has profound implications for both the global economy and the future of insurance. In this post, I will provide seven predictions for how the Internet of Things (IoT) will change the insurance industry, although ultimately these predictions only scratch the surface as there are few lines of insurance that won’t be affected by cyber risk in the next five to 10 years.

Background on Internet of Things (IoT)

It is estimated that there will be as many as 200 billion everyday objects connected to the internet by 2020. Applications for the IoT are as diverse as consumer devices, manufacturing sensors, health monitoring, connected vehicles, office automation and all the way to fully “smart cities.” The emergence of IoT technologies is a tremendous development that spans all aspects of human existence and could unlock as much as $11 trillion per year in value to the global economy by 2025, according to the McKinsey Global Institute.

See also: Insurance and the Internet of Things  

What these numbers don’t show, however, is the tremendous physical and financial risks associated with the emergence of having everyday objects connected to the internet. According to the 2016 Symantec Internet Security Threat Report (ISTR), hundreds of millions of internet-connected TVs are vulnerable to click fraud, botnets, data theft and even ransomware, and these numbers are growing rapidly. Cyber attacks on internet-connected devices create systemic risks and the potential for hundreds of billions of dollars in losses. When physical devices can be hacked (and potentially hacked en masse), the potential for major business interruption, physical damage and even loss of life becomes very real.

This isn’t to say we should not pursue IoT technologies. In fact, in many ways, IoT will make society safer, as well as more efficient and convenient. Every year, 1.2 million people die in automobile accidents, and around 90% of those accidents are attributable to driver error, which will decline as more internet-connected vehicles incorporate advanced safety features. However, as internet-connected devices become pervasive in all aspects of our lives, the nature of risks facing consumers and businesses will be fundamentally different.

While the future is uncertain, especially as it pertains to technology, here are seven predictions on how IoT could affect insurers.

  1. Continued Growth of Affirmative Cyber Insurance Policies:
    According to Lloyd’s of London, cyber attacks cost businesses $400 billion in losses per year, and, by some estimates, cyber crime costs the global economy trillions of dollars per year. The current cyber insurance market, which is focused on data protection, is around $2.7 billion globally. The market has doubled over the past 24 to 36 months, and growth shows no signs of abating. Growth of affirmative cyber insurance data and liability policies, primarily covering costs associated with data breaches, is just a tip of the “IoT iceberg,” as cyber becomes an even more important insurable risk.
  2. Some Core Insurance Lines Will Decline: IoT will change the nature of the risks that consumers and businesses face. For example, according to AT Kearney, features such as advanced driver-assisted systems (ADAS), semi-autonomous vehicles and tracking of stolen vehicles will be deployed in half of the cars on the road by 2025. By some estimates, the global auto insurance market will shrink by 60% or more, where there is a reduction in driver error and a resulting decline in the insurance needed for this risk. As key insurable losses become preventable by IoT, core insurance lines will decline.
  3. IoT Aggregation Risk Starts Pervading a Diverse Set of Insurance Lines: IoT can turn large-scale hacks into global cyber catastrophes. Already, there have been successful hacks on industrial control systems that have led to major physical damage in heavy industries. Fortunately, these incidents have been isolated to “one-off” occurrences, but with key industrial control systems, logistics tracking systems and building automation systems crossing tens of thousands of businesses, the potential for major cross-cutting cyber events is increasing. IoT aggregation risk occurs in insurance lines where it wasn’t previously observed, accounted for or priced into the cost of an insurance policy.
  4. Cyber Peril Exclusions Grow in Commercial Policies: In the years to come, we will see highly public “forcing events” related to cyber attacks on IoT devices. Unfortunately, it is not a matter of if but when we see major IoT cyber hacks. When these events happen, insurers will likely respond by writing in more explicit exclusions for cyber perils in insurance lines such as product liability, property, E&O and other policies. In many cases, insurers are focused on the aggregation risks that exist within their affirmative cyber data and liability policies, when the reality is there is tremendous silent coverage in the rest of an insurer’s portfolio today.
  5. “Cyber Gap” Insurance Policies Emerge: There will be an expanding list of critical cyber perils that won’t be covered under a standard insurance policy. Specialty cyber insurance policies and endorsements will surface to fill in the need for IoT cyber risk coverage. McKinsey estimates that as much as $3.7 trillion in value could be unlocked in factories alone from IoT. Too much value is at stake for clients not to seek coverage from insurers, and the market demand is too large for insurers not to provide this cover, although it will take deep cyber expertise to understand these novel risks.
  6. New Cyber Risk Capital Market Offerings Emerge: Currently, the global insurance market has $4 billion to $5 billion in capacity for nuclear risks and $100 billiion for natural catastrophes. Fixing the Y2K bug alone is estimated to have cost $100 billion, and the costs associated with remediating IoT security deficiencies could be very high, particularly when IoT components do not always have a means for remote firmware updates. Given that cyber events represent hundreds of billions of dollars (or more) of potential liability, which have low correlation with other events, there is a role for capital markets providers to step in to help transfer risk. Given initial explorations already happening today, London could emerge as a major market for insurance-linked securities tied back to cyber risk.
  7. Insurers Will Help Drive IoT Security: Consumers aren’t necessarily buying technology products with IoT risk in mind; regulators are struggling to keep up; and in a race to get new products to market, technology companies are often launching products without adequate cyber security in mind. Symantec’s research has shown that 19% of mobile apps used to control IoT devices don’t use SSL connections to the cloud and more than 50% didn’t provide a mechanism for firmware updates, or, if they did, those updates were not encrypted. Given that insurers are taking on the financial risk associated with IoT going wrong, insurers have an important role to play in making sure that the basics are done right for the risks they underwrite.

The emergence of IoT is a tremendous technological development that will create wide-ranging benefits for governments, businesses and consumers. However, it will also propel cyber risk into the limelight as the most important risk of the 21st Century.

See also: Prospects for Insurers as a Global Industry  

As an industry that transfers and mutualizes risk, insurers face far-reaching implications, and there will be both winners and losers. Those that win will have a deep understanding of the evolving nature of cyber risk, leveraging cyber data, intelligence and expertise. Companies like Symantec will have an important role to play in helping to understand evolving threats, which is why we have set up a dedicated Cyber Insurance Group to support our insurer partners.

It is hard to predict the future of technology and the risks that new technology will create with any degree of certainty. What is certain is that where there is risk, there is an opportunity for insurers to provide risk-transfer solutions through insurance products. Just as there is innovation in technology, there will be innovation in insurance as both industries come together to unlock the potential of the Internet of Things.

6 Areas to Watch in a D&O Review

Performing a directors and officers (D&O) insurance audit is a complex exercise that is made more difficult by constantly shifting language, new rulings and claim trends. While much of the policies’ language and terms have remained fairly constant over the years, here are six areas of new or renewed interest that buyers and their brokers will want to pay attention to.

See also: The Need to Educate on General Liability  

Cyber Exclusions: Because cyber-related litigation has been quiet, there is little case law at the moment testing courts’ interpretations of D&O policies, so it is difficult to determine the adequacy of coverage provided by existing policy language. Generally speaking, D&O policies are not crafted with cyber risks in mind, so many policies may contain problematic language, such as the definition of “wrongful acts.” However, some carriers are going in the opposite direction and are purposefully applying specific cyber-related exclusions to their policies with the intent of pushing the exposures to more appropriate cyber policies.

Cyber policies have still not quite adjusted entirely to modern cyber risk, and these exclusions are not yet industry standards, so buyers should — when able — avoid D&O policies that contain cyber exclusions. While most policies are absent of such language, many carriers have included somewhat watered down wording by adding “privacy events and/or invasion of privacy” within the broad bodily injury exclusions. While this language is not as crippling as an explicit cyber exclusion, buyers should still attempt to negotiate its removal.

Many professional liability experts also believe broadly worded terrorism exclusions may have the ability to negate coverage for cyber events with the belief that they will be classified as cyber-terrorism. To address the terrorism exclusion, buyers should ask the carriers to “except” (thus, carving back) cyber-related claims.

Lastly, while it may be obvious, brokers should advise buyers on the importance of placing separate cyber insurance while also highlighting the intricate coverage differences among them. The same level of attention that is given to grooming D&O coverage should be given to grooming cyber proposals/policies. This includes careful review of policy definitions, terms, conditions, exclusions, etc.

Professional Services Exclusion: Along with the contractual exclusion, the professional services exclusion is consistently cited as one of the most sweeping and problematic exclusions for insureds. Broad professional service exclusions typically preclude coverage for claims “for, based upon, arising from or related to” errors, acts and omissions while providing professional services. This exclusion is particularly problematic for service firms because almost any claim can be “related to” their providing of professional services. However, this exclusion is also becoming increasingly problematic for many businesses because so many businesses today provide some level of services (from consulting to technology services). For tech companies, in particular, this exclusion has the potential to preclude coverage for cyber-related claims, as many of the tech services provided may be considered “professional services” by the carrier.

When negotiating this exclusion, buyers should ask the carriers to replace the term “for, based upon, arising from or related to,” with, simply, “for.” Such an amendment effectively carves out the errors and omissions exposure the carrier intends to exclude while still preserving coverage for “true” D&O claims.

Conduct Exclusion: The conduct exclusions are one of the (if not the) most visited exclusions within D&O policies. While not much has changed in terms of recommendations to D&O buyers, we have noticed a number of carriers that still contain less-than-preferred language. To avoid coverage being denied for unintentional wrongdoing, the conduct should be specifically stated as “deliberate, willful and intentional.” Sufficient severability language should also be included to protect innocent directors.

The area where we still see many carriers lacking is in the “ruling language.” For purposes of providing coverage for innocent actors and claims without merit, the carrier should agree to provide defense costs until a final determination is made. More specifically, though, that final “determination” should be in the form of a “final adjudication in the underlying action.” While much of it may seem like a matter of semantics, final rulings/judgments are NOT the same as “final adjudication,” which is required by the courts. In addition, the language should specifically state that that determination be made in the underlying action to prevent the carrier from arguing that wrongdoing found by those outside the courts (such as regulators) nullifies coverage.

JOBS Act/Securities Exclusion: Startups and companies looking to raise equity have a new reason to be excited. The JOBS Act provides an avenue for significant growth without all of the time and compliance costs imposed by the strict reporting and disclosure obligations that come with an IPO. And with the new regulation A+, the ceiling has been lifted, allowing a significant capital raise while still remaining private.

Those same attractive features, however, also carry some increased risk. The potential for fraud (and accusations of fraud) is considerably higher because of the lack of transparency. Additionally, private companies purchasing D&O may find a somewhat hidden surprise in the broad securities exclusions that almost entirely eliminate coverage for crowdfunding-related claims.

While many insurers have been somewhat slow to react, many others responded expeditiously by either adding a separate endorsement or revising their exclusion to carve back coverage for claims that are related to securities and qualify under the JOBS Act. Any companies considering a crowdfunding campaign or raising any equity under crowdfunding regulations should exercise extra diligence when reviewing their D&O insurance to ensure the carrier has appropriately provided coverage for such claims. Without question, this includes smaller companies that may believe they are less prone to crowdfunding claims, which is false. The case against Quest from 2011 demonstrates that these claims can arise over seemingly simple fee disputes.

Lastly, organizations should also avoid any carrier-imposed sub-limits for crowdfunding-related claims, paying close attention to the adequacy of such limits when they are unavoidable.

Entity vs. Insured Exclusion: The insured vs. insured exclusion is almost as old as D&O itself. To alleviate some of the concerns related to the “I vs I” exclusion, many carriers today have adopted a more modern alternative replacing it with an “entity vs. insured” exclusion. While this substitution is preferred and does seem to solve many of the unintended consequences, it still deserves careful review. The most obvious carve-back that buyers and their brokers should seek is coverage for derivative claims brought on behalf of the organization. Because of their derivative nature, insureds should also negotiate a carve-back for bankruptcy claims brought by trustees and debtors in possession. Additionally, buyers should review the definitions of insured and organization/entity to ensure bankruptcy trustees and debtor-in-possession are also included as insureds.

Regulatory Proceedings and Investigations: Coverage for regulatory/administrative proceedings and investigations has always been of interest for buyers but remains difficult to obtain. Informal regulatory proceedings and investigations against the entity itself are the most difficult to insure against.

With cyber whistleblower claims beginning, regulators are capitalizing on their success with more “traditional” whistleblower claims, and coverage for government investigations is quickly becoming a topic of renewed interest. Over the past few years, many carriers have begun to provide coverage for informal investigations and regulatory/administrative proceedings against individual directors and officers. Additionally, private companies may be able to obtain coverage for formal investigations and proceedings against the entity itself. It should be noted that, for purposes of reviewing and grooming coverage, administrative/regulatory proceedings and investigations are not synonymous.

Some carriers have also been implementing standard coverage for FCPA fines/penalties against individuals. The ability to obtain a policy with such language does not necessarily mean the policy will respond, though. There are a number of additional items that require review, such as claim definitions that require “wrongful act” accusations to trigger the regulatory coverage (which should be avoided).

See also: What to Expect on Management Liability