April 25, 2016
The Questions That Aren’t Being Asked
by Jesse Lyon
Crucial issues are being missed in cyber and elsewhere, showing that we have to find ways to develop radically different underwriting skills.
In Aldous Huxley’s 1931 novel Brave New World, many original ideas were posited about a futuristic society. Two of those ideas, appearing in our present, involve eugenics and an ever-increasing reliance on technology.
Techniques like CRISPR (clustered regularly interspaced short palindromic repeats) to genetically engineer a human embryo, and technological advances like self-driving vehicles, could be said to represent some of Huxley’s notions. However, professional liability underwriters, especially those underwriting cyber liability and tech E&O, are out of phase with this “brave new world,” and this fact creates a dangerous situation for both those underwriters and an economic world dependent on them. To be responsible and successful in the present and into the future, the professional liability insurance sector must look backward to look forward and, in so doing, create a breed of underwriters who are every bit as creative as the future will be.
Being out of sync with present-day reality is clearly represented in questions not asked on cyber liability and tech E&O applications. For instance, one current cyber liability application does not ask what type of firewall an applicant is using. A company can use a simple device with a firewall feature and claim to have a firewall in place, but that device will not come close to equaling the protection offered by a hardware-based NGFW, or Next Generation Firewall. The same application also does not ask if multiple hardware and software ecosystems are used, even though the answer to that question, especially for a medium-sized and large business, offers significant insight into the company’s cyber security approach. Additionally, this particular application does not ask whether an applicant is using the services of a cyber security firm. Those kinds of questions, and the answers to them, convey an enormous amount of information about the cyber security posture of an applicant and, in turn, provide significant insight into whether a risk is worth underwriting and at what cost. For such questions to be missing from an application is dangerous for insurance companies and the clients of those companies.
The current situation with technology E&O applications is equally worrisome. For example, in the exclusions list on one recently updated technology E&O policy there is no exclusion for computer languages known to be highly prone to cyber breaches. Theoretically, an insured software company could be writing code in Adobe Flash or Java Script, languages that should be avoided. By not excluding those languages, the insurer is exposed to adverse results of claims and lawsuits caused by an insured using hazardous script. Perhaps even worse, this insurer does not exclude wireless products that do not include proper encryption. Thus, if a company that produces baby monitors creates a product that broadcasts the signal in an unencrypted format, claims could arise from a concerned consumer of that product. After all, what reasonable parent would allow anyone to spy on her child?
This issue is likely even worse because, time and again, successful lawsuits have already been brought against manufacturers of products that lack proper wireless encryption. The absence of such exclusions to protect itself and to encourage better behavior from its insureds calls into question whether a technology E&O insurer is in sync both with technology and the current legal environment. With underwriters being out of step in the present, one must wonder how they will be able to help drive the world forward in the future.
There are other parts of the professional insurance sphere that are not poised well to be in harmony with the future. In the near future, robots will be introduced into social environments like nursing homes. If a robot injects medication into a patient, prescribes a medication or lifts a patient from a wheelchair to a bed, then that takes an already risky situation into an unexplored legal realm. If a patient suffers an adverse reaction to a drug that was injected by a robot, then how will the nursing home be protected by any of its insurance policies? Or, what if a robot is provided by the nursing home to a patient who needs companionship? If the robot malfunctioned and could not be replaced and the patient drew into a depressed state and died, then how would insurance cover a wrongful death suit by the patient’s family? A general liability policy certainly would not cover such an event, and an allied health policy is not currently worded to handle such a risk. What about the manufacturer of that robot? Would a technology E&O policy step forward and indemnify the manufacturer of the robot?
Most countries, especially those like China, Japan and the U.S., have populations that possess far more elderly people than younger ones, and there are simply not enough people entering the field of senior care to handle the influx of those who need care in their golden years. This means that robotic companies are going to be filling that void and, in so doing, will create an unprecedented situation that will require the professional insurance sector to provide guidance and protection to the rapidly aging world. To provide that guidance and protection, however, will require professional underwriters to understand the intersection of technology, human care and the law, an intersection with which underwriters are currently less than conversant.
So how do insurance companies offering cyber liability, technology E&O and other professional insurance get into sync with the evolving world they are underwriting? There was once an international competition that encouraged students in the seventh through twelfth grades to form groups of two or three people and build educational websites. The competition was known as ThinkQuest. It was supported by both governmental and private organizations, had strong support from educators in more than thirty countries and rewarded the most successful competitors with scholarships of as much as $25,000. A similar approach must now be embraced and championed by the insurance industry. The brilliance of ThinkQuest was that it brought together young people who could appreciate and understand a multitude of ideas, numerous bodies of knowledge and people who were willing to learn and teach at the same time and who could convey their ideas both by the written word and binary. The spectrum of ideas that the groups put forth ranged from examining a social phenomenon like Harry Potter to examining how music affects people’s mental and physical health.
To be able to fully appreciate and understand nearly every cyber liability and technology E&O risk requires people who have an uncommon breadth and depth of knowledge that extends from simple areas like grammar to complex areas like quantum mechanics. When an underwriter tries to underwrite a risk like SSA (space situational awareness), to underwrite a risk in which a company produces electronic-photopic chips or to understand memory-resistant malware, that requires a degree of understanding that is clearly not being demonstrated by the majority of the current breed of underwriters. However, the degree of wide-ranging creativity needed here was what the ThinkQuest competitions were created to foster in young people. The insurance industry needs people who can draw from a wide range of knowledge, and it also needs people who can write binary code with exactitude. Insurance companies must employ cyber forensic engineers who can pinpoint where a security breach happened, how an intruder gained access to additional computers and how to remedy the situation.
Being able to work individually or in a team, being able to backtrack to the point of intrusion and being able to view the world in tangible and non-tangible ways requires more than someone who can simply write one line of code after another. Currently, insurance companies depend on other companies to investigate data breaches, but this will not work out in the long run. In the 20th century, numerous insurance companies owned law firms to litigate claims economically. The 21st century will require cyber liability insurers to employ cyber forensic engineers to investigate claims based on network breaches. Moreover, in the very near future insurers will need to create an organization that tests routers, switches, servers, smart phones, robots and other technology devices to determine how secure or how capable those devices are. As has already been argued on the PLUS Blog in November 2015, not all technology devices are created with the same expertise, and figuring out which devices are least and most secure will greatly facilitate insurers’ ability to price policies correctly. However, to find young people who can view the computer realm in multiple dimensions, and to find those who can function in a cross-disciplinary environment and approach a risk from a multitude of angles can only be successfully accomplished on a large scale through an instructional competition.
People who have a broad and deep appreciation for multiple disciplines and cyber forensic engineers are uncommon, and insurance companies are not the only ones who need such thinkers. cyber security companies, law firms, private and public educational organizations, research organizations, think tanks and governments are just a few sectors that need those type of people. This means that, as difficult as it is already to find thoughtful insurance people knowledgeable about the cyber world, the future is only going to be exponentially more troublesome.
When the 20-year-old who is going into her senior year at college thinks about the past and future, what will she strongly consider for a career? Will she remember the competitions that the insurance industry hosted that allowed her to cultivate friends from all over the world, and allowed her to gain the needed assurance in her skills as a programmer or a writer to pursue a major in computer science or history? Will she remember the competitions that helped fund her time at college, and in doing all of that proved that being a cyber liability underwriter is a fulfilling career opportunity? Or will that 20-year-old have nothing to remember where the insurance sector is concerned?
The Cyber Security Challenge is one competition that currently aims to increase the pool of cyber forensic engineers; however, it is not an international competition and focuses only on people who are capable of becoming cyber forensic engineers. Professional liability insurers need thinkers and tinkerers, and locating both on a large scale can only be accomplished through a competition like ThinkQuest. Nano-technology, advanced robotics, augmented reality and memory-resident malware are elements of a brave new world that cyber liability and tech E&O insurers are going to come face-to-face with in the short term. In three to five years, insurers are going to encounter robots where none have been before. If insurers do not create and enthusiastically support a competition like ThinkQuest, then insurers will not be acknowledged or remembered by those in college. Consequently, insurers will find themselves without a breed of underwriters who can thrive and understand the brave future. This must not be so!