Wire fraud may not be covered in your cyber insurance policy. Coverage is mixed and continues to be a moving target at each policy renewal. This webinar discusses current trends, policy provisions, sub-limits on certain losses, and what to expect on your next renewal. We also provide a list of the Top 10 questions to ask your insurance carrier to make sure you have the protection you need.
Full webinar transcript:
Tom Cronkright: Hello, everyone. This is Tom Cronkright with CertifID. I’m super excited about today’s topic on E&O and Cyber Insurance Trends. I can tell you firsthand if there is any landscape that has been as dynamic as the real estate and settlement closing landscape around wire fraud and cyber breaches, it’s the reactions that we’re starting to see in the insurance space. Not title insurance but the overall professional lines in cyber insurance. We have some awesome guests with us that we are just blessed to have them share some information that is as fresh as it could possibly be in the country.
Tom Cronkright: As a way of introduction, for those of you that I haven’t met, I’m the co-founder of CertifID, Licensed Attorney, also own a large agency in Michigan, so we’re living and breathing these issues alongside many of you in the title and settlement industry. Also a Wire Fraud Victim, so this issue of trying to keep our customers and transactions and companies secure is something that we’re intently focused on month-over-month and quarter-over-quarter.
Tom Cronkright: We have Steve Tuuk. I’ve known Steve for quite a while, He was a founder, President & CEO of Professionals Direct, it’s a publicly-traded company specializing in lawyer E&O and professional lines. Then the vice president and management liability of Leavitt. He’s also a Licensed Attorney, and he has just a wealth of information and has been for decades around the movement in errors and omissions and how to adequately protect ourselves for the work we’re doing.
Tom Cronkright: And then Paul King. Paul is a Senior VP and National Technical Director for USI. He specializes in this area of cybersecurity in the landscape and what’s moving. We have an absolutely packed agenda.
Tom Cronkright: By way of housekeeping, if you have questions that come to mind in the GoTo Webinar panel, there’s a questions field, and please put your questions in there, and we will try to get to as many as possible. For those that we don’t, we’ll actually answer those and circulate any remaining questions out to the group.
Tom Cronkright: Also with us is Tyler Adams who’s the co-founder of CertifID, and our Head of Product, and he’s going to help wrap up with some of the Q&A in next steps.
Tom Cronkright: I want to start with just a minute on CertifID, because many of you are not aware of what we do beyond this great educational series that we put together this year. What we do is help mitigate risk in the area of wire fraud. It’s an area right now that if you’re maintaining an escrow or an IOTA Trust Account, it’s nerve-wracking, because of the losses and the risk profile of safely transferring funds in, and then dispersing those out after closings.
Tom Cronkright: What we’ve created is a software platform that helps reduce risk. Every wire that is CertifID through the platform is covered by a million-dollar guarantee standing alone from anything that we’re going to hear today. We validate identity, and we’re able to securely transmit and exchange wiring information in a matter of seconds. What that does for organizations, it just instills trust back into the transaction, the transaction ecosystem when it relates to funds transfer.
Tom Cronkright: Easy to use for your employees, just a few clicks, a little bit of information, and you’re often running, validating that. The person that you think you’re dealing with, and the person sending you funds, or you’re sending funds to, is in fact the correct individual in the transaction.
Tom Cronkright: Then for customers, we’re simply, we’re protecting their life savings. Both cash to close and net proceeds can also be used for any type of new loan, or loan payoff or third party funding. The customer experience is super light, both on the computer and on a mobile device. I encourage you after lunch, let’s have a conversation on how we can come alongside and fill a gap that we’re going to learn today between the E&O and cyber coverages.
Tom Cronkright: As to the content, I mentioned we’ve got a packed agenda. Everyone will receive a copy of this presentation once we’re done. I think we generate those by the end of the day today. If you want to use this for training purposes, or someone in your organization wasn’t able to make it, no problem. I’m going to kick off with the size and scope of the wire fraud problem. And some new information has come out this summer that I think really summarizes what we’re dealing with.
Tom Cronkright: I’ve mentioned in many of my talks, that the fraudsters aren’t guessing whether or not there’s a real estate transaction taking place, because all the information is syndicated on the MLS. Well, to put it in aggregate content or perspective, there’s roughly almost 17,000 closings this year that are taking place, or 16,400 every calendar year last year, and we have just shy of $4 billion moving on a daily basis in connection with real estate closings and fundings.
Tom Cronkright: That’s two times the defense budget globally on a daily basis. We’re just moving massive amounts of money in big slugs per transfer. Then if you haven’t read this, I really encourage you to download this FinCEN report from the US treasury that came out earlier last month. What it shows is just the incredible increase in business email compromise. And look at the three sectors, the three top sectors, manufacturing, commercial services, and then real estate are making up roughly 60% of the total activity that they’re seeing. From a numbers perspective, look at this one on the right. They reported $300 million a month in activity, and that’s what’s reported.
Tom Cronkright: So FinCEN gets FBI, and Secret Service and Department of Treasury, everything funnels in through FinCEN as a large aggregator of this type of information, and that’s probably only 10% to 15% of what’s happening. If you’re feeling it, I like to tell people, they’re not picking on you, they’re transaction agnostic and brand agnostic, they just want cash. If they can find it, they’re going to go after it, but we’re just seeing some really steep increases in this activity, which is why the insurance is so important.
Tom Cronkright: From a wire fraud perspective, here are some other stats. Again, $300 million a month, $90 billion in the attempts from June 16 through the end of last year based on a foyer request that we had received. The challenge for us as title and settlement providers is what’s happening in the litigation arena around losses. Our next fraud briefing is going to detail some of the seminal cases that are pending or recently decided on who’s ultimately responsible.
Tom Cronkright: Current claims and losses, let me give you a quick update, and then I’m going to hand it over to Steve to do a deep dive on the E&O side. And then Paul’s going to come in on the cyber and side and see how these two together make sure that you’re covered for the actual losses and risks facing your organization or your customers. Based on one of the largest underwriters that actually binds cyber insurance in the US, we’re running pretty rampant on increases for lost claims in cyber. The real estate sector, in particular, is having a really rough go right now because of the amount of losses and claims that are coming in for wire fraud. To segment those claims, you can see that roughly almost 90% of those have something to do with theft of funds, theft of data, or holding your system hostage for ransom.
Tom Cronkright: That’s where a bulk of it is taking place. One of the biggest concerns that I have for the industry, they’re not going to give up on wire fraud. I was speaking with the FBI this past Monday in New York, and he said something really interesting. This is someone from the cyber group, He said, “They’ll never retire a fraud scam.” The old Nigerian prince scam, or the Robocall Scam, the IRS is suing you, you just don’t know about it. They’re going to show up at black Suburbans and start hauling out your groceries in the back. They don’t retire a scam. They just create new ones to add on top. What I’m concerned about is the way that we’re storing and segmenting and approaching data in our industry from a personally identifiable perspective. We just have so much PII, but you can see here how it’s active.
Tom Cronkright: The other stat that I found fascinating was this, first-party versus third-party claims. First-party claim is, I have to send funds to, let’s say Steve as the seller for his net proceeds, and I get tricked as the title and settlement provider and wiring out to a fraudster. I tender a first-party claim because I lost the funds, and I’m going to go to my insurance carrier and say, “Hey, I need help here based on coverage in my policy.”
Tom Cronkright: A third party claim is where, let’s say, Steve’s the buyer, and he gets tricked into thinking that he’s working with some title, or ACME title or whoever the title provider is for him, and he wires off to a fraudster that’s impersonating the title or settlement provider or the law firm. That would be a third party claim. What’s interesting is how many first-party claims were submitted versus third party claims, because everything we’re hearing is, “Hey, they’re after buyers.” They’re after buyers and they are, but this underbelly of first-party claims. A lot of these are not getting reported but they’re happening. It means they’re direct hits right on the organizations that are involved in the title and settlement.
Tom Cronkright: 95% of these fell into one of three categories. I won’t read all these, but again, the themes. I want your cash, I want your data or somehow I’m going to damage or hold hostage, the network until we get paid or whatever happens to be.
Tom Cronkright: Here’s another alarming statistic, but I think encouraging in the sense that there are things that we can do in this area, is that three-quarters of these claims are attributable back to some human error. Whether it was a breakdown in policy or training, or process or something that either wasn’t fully developed, wasn’t fully followed, wasn’t fully explained. I think we have a real opportunity here to lower that incidence year-over-year because we can affect the folks in our organization if we take this on.
Tom Cronkright: The core exposures, if there is a claim, is reputational harm. I would argue that this is probably why most people are mum when there is a loss, and they don’t want to report to the IC3. They don’t want to call their carrier or their underwriter because, well, I’m either going to write a check and take my lumps and move on, right? That’s what we did in our wire fraud and then try to get the money back. Or I’m going to recover, and I got almost a full recovery, but I’m not going to let anybody know, because the reputational risk could be huge. You never know how that spins out of control in the media. Commercial data, damage to assets, and like you say, the actual theft of funds, but one in four tie hand-in-hand. Even if you had a full recovery, who wants to raise their hand and say, “Yeah. I had several million in the wind last month. Glad that came back from my bank. That would have been a lights-out scenario for me.” Nobody wants to hear that.
Tom Cronkright: My last slide, and then I’m going to hand it over to Steve and do a deep dive, is what options do we have? I’m going to speak as a title agency owner, and how we looked at the insurance market to cover off as many of these risk profiles as we could, and it really wrapped into three separate policies. This is where we’re going to do a deep dive. One was just E&O, and Steve will touch on this, but we just went through a renewal, and USI helped us with that renewal, and we’re bound with some of the best carriers literally in the world for this coverage. But I took away from that at a high level, that E&O is functioning almost like a pre-computer aged E&O, where it’s about the professional standards and the Occupational Code, and our underwriting requirements for our title insurance underwriters. Did we do the work? Did we do the 40 year? Did we clear the requirements? Did we fully and safely disperse? Did we issue the final policy? All those things. What recent litigation is showing us, is that beyond that, when there’s a loss, there’s a new standard of care that’s developing around this issue of what we’re doing to protect the customers and ultimately, our funds during the process.
Tom Cronkright: And then cyber. So, E&O got that. Cyber was a whole different world. It was like the wild west right now. And Paul is going to get into this. But cyber, it’s bifurcated between cyber, which is like, “Hey, did they hack my network? Did they take my data? Did they hold me ransom?” This and that. And then crime related to the theft of funds or third party loss in those types of things. What we saw in our most recent renewal, we’re not only like steep increases in premium but new supplements and conditions to coverage. I think that you have to understand how these two worlds are pivoting around, would you agree Steve? Higher than expected losses in the area of wire fraud?
Stephen Tuuk: Yes, very much. In other words, the problem that the industry is starting to see is that, in the last five years, and it’s been a five-year, four-year, three-year problem that’s emerged. There are a lot of new coverage triggers that the policies that were in place that were written several years ago don’t either address with some level of silence, or there’s no coverage at all. In other words, you have a mixed bag in terms of what’s actually happening now on the insurance side, because as you point out, we operate about five years in arrears. We look out the rearview mirror, we see what losses are starting to accumulate, and then the industry starts to respond. Well, this is a new one, different kind of exposure. And this exposure, as you see in some of the slides that we’ve put together has dramatically changed both in terms of scope and level of sophistication such that it’s difficult for an actuary, again, looking sort of in the rearview mirror to respond and come up with a pricing and underwriting model. It’s not that the insurance industry isn’t prepared and doesn’t see the threat, is to get all the wheels moving to make sure that that happens.
Tom Cronkright: Paul, anything to add to that?
Paul King: Yeah, the only thing I’d say in addition to that, Steve, right on the mark where we are today. The only thing I’d add would be, when you are looking at these policies, you guys are absolutely correct. There are going to be different levels of certification, different levels of dedicated coverage for the issues that we’re talking about today, and optimizing those, I noticed that we’re going to get into both Steve and I, and how these policies interact and how they offer coverage from multiple sources. Because of that changing nature of the threat and the inability to really project based on historical losses because of how fast and severity changes are happening as noted, the ability to work these policies together optimally, three that we have listed here and others is going to be really what differentiates successful responses versus maybe suboptimal responses in a claim.
Tom Cronkright: One tip that I would give those on the phone, Steve and Paul might not like this, but one thing that we did is that we put real-life examples in front of our insurance representatives to say, “Hey, would this profile be covered?” And if the answer was no, then how could it be covered? Is it covered somewhere else? Do we need a special endorsement? If you guys have an instance where you actually had a fraud, and you want to make sure that that isn’t going to happen again, or it would have been covered, or there’s a near miss, I mean, just emails, like email them. Here’s the example, would this be covered? All right. Let’s do a deep dive into E&O. And Steve, I’m going to hand this over to you, and then ultimately, to Paul for the cyber side. Thank you.
Stephen Tuuk: Thank you very much. If we look at Errors and Omissions coverage, the first thing I want everybody to understand is, it covers the standard of care that the professional has to any of the parties that they are dealing with. When I say parties, that sounds a little abstract. Really, what it means is your client or your customer. Okay, that person that is writing a check to you, or that you can see across the table, but it also covers a number of other people. Those could be the people sending new information. Those could be the people that are relying on things that you put out. Those could be people that you relay information to, that you’re not even fully aware of. But when we step back and we look at our duty as professionals, that’s title agents and lawyers principally, what is it that we owe the people that we deal with? And how is that policy going to respond in the event of a cyber or wire fraud issue? I think what we’re finding is that a lot of that is emerging as the tort law or as the case law starts to come down. Your E&O policy is the policy that picks up many of these things, but then also, the cyber policy is the next policy that is in line.
Stephen Tuuk: Your Errors and Omissions Insurance, what is it? Professional liability. If you want a summary of that policy, it’s actually contained on your declarations page. It’s got the limits, it’s got the sub-limits, the deductible, it’s got any extensions of coverage. It’s got whether it’s CEOL, and a claim expense inside or outside the limit, and everything in the core policy document then refers to that summary. That summary is incorporated actually in the policy itself.
Stephen Tuuk: What does your policy cover? Well Acts, Errors and Omissions that arise after the retro date and create claims that are made and reported in the policy period. That’s the very quick summary and it’s contained in what’s called the insuring agreement that is in the policy and usually, it’s on page one. So you can see that, read it. The retro date is something that, frankly, goes back to when you first got insurance, or when you created the business, and it’s anything you did, any mistake that you made, that then gets made and reported during that policy period, which is usually the annual renewal that you have every year. That one, although complicated, again, it’s not occurrence insurance. Then triggers the policy, which is usually a duty to defend and a duty to indemnify any claim. In other words, you have a claim, you got a problem, and guess what? The policy says the insurance company has to hire a lawyer, and the insurance company has to pay whatever settlement or verdict is created.
Stephen Tuuk: If you look at that, then how does that actually relate to what we’re talking about? Well, wire fraud used to be something that might have been covered in that policy. What happened, however as some of these new situations have emerged, is that increasingly, insurance underwriters have shifted that over to the Cyber Policy by creating an exclusion. And the exclusion usually says something to the fact that any kind of cyber claim goes over to a different policy and is not covered by the Errors and Omissions Policy.
Stephen Tuuk: Now, that’s nice in terms of what I’ll call relatively technical drafting, but I’ll maintain through this presentation that I think the E&O policy is still the policy that’s going to be the one responding as a last resort. When I say that it simply means that if there’s not cyber coverage, or if the cyber coverage is inadequate, the plaintiff bar that’s presenting these claims, that’s going to go after the E&O policy in terms of additional limit, or frankly, enough dollars, to respond to the claim. Many times the claims are going to be too big for any title or closing agent to handle on their own. And with a million or $2 million or $3 million E&O limit, that’s going to be a nice target for people to, attach to.
Stephen Tuuk: When we look at common coverage exclusions, I don’t want to spend too much on this, but probably the key item now is you have exclusions for what I’m going to call highly regulated or third breach of securities laws. Highly regulated organizations are REITS, pension plans, and public reporting enterprises. You can get those back if you have an endorsement. Coverage exclusions also apply for any kind of entities or enterprises that you as the title agent or the law firm control or that control you. Then also at the end, we see increasingly exclusions that apply for a data breach, and now that definitions, as we move forward, are becoming more sophisticated to include any kind of technology-related claims. In that way, the E&O carrier shifts the burden, the financial burden over to the cyber carrier to pick up any kind of what I’ll call tech claims including wire fraud.
Stephen Tuuk: We can add back a number of these things when we actually look at the endorsements that usually apply. I mean, I think Paul picks this up in a number of his slides, but probably the first thing to look at is, do we have the right insureds on the policy? And that includes predecessors, anybody we bought or acquired, anybody that might be a related party is the right party actually insured under the E&O policy. I spend a lot of time just changing the arithmetic or the math. Is the limit right and can it be increased? Is the deductible appropriate for the business and can that be changed? We find that a lot of coverage extensions or endorsements also include the professional services that are provided by the enterprise. In other words, does that fit or is that just narrowly technical in terms of title and closing work alone?
Stephen Tuuk: Then at the end, there’s also what’s called an extended reporting period endorsement, the so-called tail coverage. The tail coverage comes into play if there’s an acquisition, death, disability, or retirement of a principal, or the business is actually liquidated.
Stephen Tuuk: In terms of what’s happening in the industry, and again, step back to the E&O Standard of care, we’re finding that claims and losses are increasing and they’re increasing with some relative speed. The claims that are coming in are complicated. It’s not always as clear which policy is going to cover the claim. What you get into is a lot of finger-pointing that may arise, and that assumes that you have cyber coverage.
Stephen Tuuk: We’re finding that the case law is emerging so that it’s not easy to say exactly if a standard of care has been breached. If so, who is responsible? And if we find a responsible party, how does that impact the coverage? What I’m seeing in the litigation that I’ve looked at, the claims that I’ve actually seen is there’s a number of claims where there’s a side-by-side defense and then coverage denial. And the coverage denial is often litigated. It’s not entirely clear that the insurance industry is applying coverage to that fact situation. We’re going to see in the next three, four years, a fair amount of those cases get resolved. And I think we’re going to find a clearer picture in terms of exactly what’s covered under what particular policy terms.
Stephen Tuuk: It’s no secret now, Tom mentioned it pricing is increasing significantly. It’s not a uniform price increase, it comes in fits and starts, and also underwriting is tighter. Tighter in the sense that there’s more questions being asked. There’s more people that are looking at whether we should be in this market or not. And there’s more application activity, meaning more questions on your application for particularly cyber, but then also for E&O coverage.
Stephen Tuuk: At this point, I’m going to defer on the top five questions because at the end we’re going to deal with the top 10. And I think it’s important that you see the questions not only for E&O but also for cyber because the two have to operate together. Again, my point will be, I think the E&O policy and the limits that it applies will be sort the backstop to a lot of different claims, because if there’s a theme I’ve seen, is that there’s not enough cyber being purchased either by the law firms that close real estate deals, or by the title agents that are closing deals, particularly at the medium to smaller end of the market place. If there is any one theme I would promote, it’s that you have proper risk management on each of these policies and that you look very, very carefully at both the coverages and the ways in which the coverages work together because you can’t buy one without considering the other at this point in time. That wasn’t always true about several years ago. But it is true to today. E&O and cyber and then crime and fraud all work together. With that, I’m going to turn it over to Paul for his presentation.
Paul King: Absolutely. Thank you, Steve, so much. If we could skip forward to a couple of slides, and get to the cyber risk landscape piece, there we go, the cyber insurance trends. First of all, good morning everyone and Steve, thank you for that. That was both spot-on, and actually plays in what we’re talking about here where the risks are increasing quickly, and I think even more so than E&O, as you noted Steve, the cyber is difficult to benchmark against, difficult to understand the coverages because of the newness, and also because there’s a lack of fundamental understanding of the risk from both the insurance carrier side, i.e. that actuarial data that Steve mentioned, as well as a different operational and policy writing structure.
Paul King: That’s a really good place to start, which is you note on the point number one here on the current cyber risk landscape, which obviously could be 10 pages by itself, but the number one risk that we’re seeing right now from understanding of coverage standpoint and optimization of coverage standpoint, is the market’s completely disjointed. There is no standardization of forms. Now, we’re in much better shape than we were, say, even two years ago with offerings from various carriers of which the 120 plus policies, and extensions that are in a place occurrence to seek to address cyber risk.
Paul King: Obviously, there’s going to be some overlap, but there’s going to be a lot of differing coverage, whether that be limit, whether that’d be typed, whether that’d be language within coverage grants, etc. Each insurer approaching this in a different way, the claims-paying ability and experience of the carriers, and their time within the industry, and their understanding of what a potential aggregation risk could look like to them means that the financial strength and the claims-paying experience of an underwriter and a carrier becomes even more important for this line than even on the previous crown holder when it comes to the understanding and sophistication and financial backing of the carriers, i.e. the E&O policies.
Paul King: We’ve now seen cyber step up, and I hate to say this to the group, but I think it’s important to note, and something that Tom mentioned in his opening comments, the quality of carriers, not just the forms, the qualities vary widely as does the quality of the panels, and we’ll talk about what that means as part of the cyber policy coming up that are being offered at current. That’s why understanding your risk and understanding how best to address it and transfer that risk is absolutely critical now as we see the market starting to solidify.
Paul King: Why would the market start to solidify? Well, some really recent stats have just come out in the last month. Another increase, I don’t think this is going to come as a surprise to anyone in the global cost of a cyber event. We used to say data breach, but as Steve pointed out, and was alluded to by Tom, whether it be social engineering attacks or ransomware and we see there in point 3 of these, other than breach events exploding so much so that underserved or traditionally perhaps under-protected entities such as municipalities, etc, who maybe don’t have the patching cadence and the IT wherewithal of large corporations. We’re now seeing, and obviously, some of the professional services, firms that we’re talking about here size-wise, focus wise, we’ll get into some specific loss types and what they mean for the industry.
Paul King: But there’s a real focus with an increase in costs, and I think something that’s important to note on that global average loss that just came out of here recently from 2018, and the IBM Ponemon report, is that the US has double that on average, by the way. $4 million for the global average, $8 million for the US. And small and medium businesses there you see, the cost of $2.5 million for those under 500 employees, that can obviously be a crippling cost. Very similar to the E&O market, we’re starting to see solidification both in price and retention size, but still, and I think this is an important point to make, there has not been, and I’m knocking on wood as I say, a major aggregation event. There has not been a major cloud provider outage. There has not been a major event that has taken down another type of IT service provider, or other third-party service providers to call the dependent business interruption yet. And to see multiple carriers sit with multiple claims at one time. But that is coming. Before it does, this conversation is very timely about getting your house in order on cyber coverage.
Paul King: Next slide, please. What does Cyber Insurance Coverage look like? This goes back to something that Tom and Steve mentioned early on in the discussion, well, how do I know if I have it? What do I have? Etc. I’ll address that here as we’re working into this slide, which is number one, if you don’t know if you have a cyber dedicated limit, and I don’t mean as part of your E&O policy as an extension, as Steve noted, I don’t mean if it’s somewhere as a small sub-limit in your GL for very limited circumstances. If you are not buying a piece on the crime policy, maybe K&R piece here or there. If you are not buying a dedicated crime policy and can confidently say that you know that, you’re likely already behind where you need to be.
Paul King: The reason being, if you look at these third party liability coverage, and the first party reimbursement coverages, there are several different coverages that are contained herein and that either A, will not be contained as Steve will tell you, on your professional liability policy, nor should they be contained in anywhere else for the most part. Some of those are going to be regulatory action coverage specific to a cyber event. Some of those are going to be privacy liability coverages that would then be tied into events.
Paul King: The rising third party issue with others bringing claims for losses, regulators, etc. And, of course, the first party breach reimbursement coverage as we say, first-party breach there, it really should actually read first party event coverages, whether that be a ransomware event, and while there may be some coverage under a K&R policy, for example. Number one, do you know if you carry that? Number two, it’s likely limited, and three, you’re not going to get the additional services that you need, i.e. Forensics, etc, that you would under a cyber policy.
Paul King: Let’s just go through a couple of these real fast. I know some of them are rather nebulous in the limited time that we have here. We can just go back to that previous slide for one second. I want to touch on something from a coverage standpoint that was mentioned earlier. I think this is a good example of some of the things we’re talking about. If you look at the business interruption and dependent business interruption, and there is nomenclature that go through those 120 plus different policies, whether it be called system failure, or dependent system failure, business interruption, dependent business interruption.
Paul King: These are going to be coverages, number one, that your firms much more so than a breach event, etc, will need to ensure that, which is critical, but that’s more of a standardized coverage to make sure that you have as broad of coverage as possible here under those two for example, because the coverage varies wildly, and then speaking specifically something that Tom and Steve mentioned earlier, I.e. the reputational arm piece, we actually have been able to build out coverage in cyber forms for loss of net income, or other permutations depending on carriers, etc, where we were able to address that loss should there be a negative reputational impact.
Paul King: Conversely, to Steve’s point, that also should give more competence in seeking coverage, etc, when an event happens, knowing that that offset, which is typically temporary but can be exceedingly severe depending on the type of event and how bad it is. There’s some coverage there as well in the cyber policy. And that addresses an issue that specifically that Tom and Steve brought up that’s driving a lot of concern as it should in the professional services set. Next slide, please.
Paul King: I think it’s important to note there are actually, some people say two if you really want to get technical about it, there are three parts of a cyber policy. This is another reason why having that dedicated coverage is absolutely critical in understanding where it lies, but also working with a broker, consultant, internal and external counsel, etc to make sure that you understand exactly what you’re buying, and you get the most value out of it. The majority of cyber policies of those 120 plus that we talked about that while the quality may vary wildly, are going to contain pre-event, i.e. training, i.e. risk updates, or even consultations with various law firms or other providers, regulatory standpoint as you can spread simulations. And as you know, for larger firms or higher premium accounts, even more sophisticated tools such as pen testing, etc. Colored team tests, etc, etc. So red team, blue team, whatever the case may be. Those are going to be available as well in certain situations. You have to take advantage of this part of the cyber policy.
Paul King: Of course, the next slide we talk about the post-breach services, so the post-event services, which include everything from forensics firms and attorneys, to PR firms, to various specialty offerings, in some cases, medical restoration, IDs and other services as needed. By the way, we’ve seen a lot of other services as needed lately, whether that be forensic analysis in a business interruption event, not caused by a property issue, but caused by a cyber loss. Those kinds of services that you would pay on average, between two and four times the insurance rates, other things that we on the broker side are able to negotiate with the carriers as part of the offerings that make up the coverage piece, which we looked at the clauses. That’s one major piece of the cyber offering, and the other two, of course, are the pre and post-event services. I think it’s really important to understand. Next slide, please.
Paul King: Let’s talk about the slides and coverages that are available and how the actual clauses work. Let’s talk about some exclusions that are contained within cyber policies. Antitrust exclusions, you’re going to see, well not as widespread as say D&O and some other exclusions. They are going to be in there. You should be aware of them. Associated companies. Now, this is where it becomes interesting because there are a couple of different areas where we can talk about insureds, and how they interact from an exclusionary standpoint under the policy, but I want to take this as two-fold.
Paul King: Number one, and we’ll talk about this and some of the things that we want to look forward and the policies, so keep this in mind as far as who is insured, not just individuals but entities and how they’re classified is absolutely critical. And associated companies in a lot of cases, especially professional services from middle market, there may be two or three organizations that have to share similar ownership but are not technically or legally subsidiary organizations related organizations, etc, etc.
Paul King: What we’re looking for, as far as the idealized coverage is as broad of an insured as we can get. We need to understand and know what kind of organizational structure we’re looking for. And how that plays, and how we optimally covered, because the exclusions around non-own entities, or non-subs, they’re going to be considered non-insured unless they’re added. And we can talk about some of the differences in language. Bodily injury and property damage, we’re going to talk about that later and cleaning that hardware piece that’s changing, and you need to know how that’s changing and why from where we’ve been historically. Professional Liability, obviously a major consideration here, and why having both coverages, and making sure that both coverages and you understand the exclusions and the interlocking areas, etc, etc, between the two coverages is absolutely critical, and optimizing that for maximum recovery is something that I know we mentioned earlier, we have to keep in mind with these exclusions.
Paul King: PCI finds and assessments. We’re actually moving now to … we’ve actually moved to affirmative grants up to full limits, and the questions around, the gotcha questions around the applications in many, many markets we’ve been able to push back. Security standards exclusions, if you think that you may have one in your policy, and or being asked on the application for specific standards to sign off, that is something that you need to discuss with your broker and counsel because it’s something that we should have some workarounds in place.
Paul King: And then something that has taken a lot of the headlines recently, I want to make sure we touch on this, the war, terrorism, invasion or insurrection exclusion. I know a lot of folks have read the Maersk Story. I know a lot of folks think that Zurich denied a cyber claim. Let’s just be real clear, and so for everybody on the line to understand that, if you don’t have dedicated cyber coverage and take from that comment what you will, and you are seeking coverage under a property policy, this is a great likelihood to potentially happen, you run into an unintended exclusion around a cyber issue. If you were to work with a broker and counsel to understand what some of the optimal ways to structure that exclusion are, or take out language, or make sure that exclusions for kinetic warfare, those kinds of things would be in the cyber policy, you would be able or likely to avoid an exclusionary stance that was taken around the Natacha attacks, which is where this all started. There is a way to address that within the cyber policies themselves, and we do it on a regular basis. Next slide, please.
Paul King: Some common endorsements. And actually, when it comes to cyber policies, it’s not so much common endorsements as it is we’re expanding the coverage grants either by endorsement or by customized policies that are being negotiated. That bodily injury, property damage wildly varies within the industry. But we have been successful in negotiating first and third party coverages, and a cyber event resulting in bodily injury or property damage.
Paul King: And that flows nicely into the discussion around bricking and coverage, which is coverage for hardware that because the software specifically the boot-up software is disabled, or is rendered unusable. Therefore, the device is rendered unusable not from hardware that’s been corrupted, but from the actual software that doesn’t allow the hardware to work. We’re starting to really finely slice and to really seek recovery on behalf of insureds.
Paul King: And speaking of insureds, that definition that we talked about, and some of the questions that I like to ask, and this is in no way comprehensive, but if you were required by a contract to add someone, you risk manager, or you general counsel serving as Internal Risk Manager for a law firm, etc, etc outside counsel working with whoever’s assigned to risk management. Do you know in your contracts, if you were signing with any of your vendors? Not just an IT vendor, but any vendor? Are they requiring themselves to be added as an insurer to your cyber policy for acts that you cause? They could potentially cause liability to enact. If you don’t know what the answer is to that question, or if your cyber policy addresses it, because it’s spreading like wildfire as far as contract negotiations across the US in particular, that’s something that you need to understand.
Paul King: You need to understand the extent. You need to understand the past, present or future nature of insureds, going back to something that Steve talked about with retroactive coverage, etc. And there’s a number of others there, that we can talk about when we talk about the $26 million. I believe it was a shoe. It was either rack room or someone like that that had a TCPA hit recently. Those are some issues that we’re seeing that very, very, very limited cover in the market, because of issues like that. We’ll probably see more folks looking to step in.
Paul King: As differentiators in coverage Social Engineering, what we talked about with the phishing, coverages, whether those be sub-limited or full limits, those are issues that are driving negotiations right now. And that phishing fraud, client coverage and phishing fraud insured coverage. This is really where the rubber meets the road for a lot of folks on the call here. You need to understand what your limits are on your cyber policy, where is their interaction with your prime policy, and the difference between that client coverage piece and the insurance coverage piece. There’s still very limited coverage in the market for losses insured by clients or clients sends to an insured that are spoofed. It’s important to understand the differences between the two and what the optimal coverage looks like in the market today, and where it’s heading for tomorrow. Next slide, please.
Paul King: Let’s talk about some claims as we blow through these here real fast in particular, but they’re very important to our group today. If you look at that 150,000, this is a manufacturing company, but obviously, this can happen to anyone, I just wanted to give it as an example, that $150,000 loss. This is pretty much standards is really below what we’re seeing right now. If you want to flip to the next slide, maybe a little more representative of the amount that we’re hitting. This is a ransomware event that we … This is within the past month or so. Another manufacturer that was nailed to the tune of about $1.2 million, and there was an intensive negotiation, and we ended up paying the $1.2 million. There’s a couple of things I want to say here. Number one, that $1.2 million is relatively small in the ransoms that we’re seeing in the past three months. We’ve had four, $5 million plus and two $10 million plus that have been paid within the last month, month and a half or so, a couple of months in that timeframe.
Paul King: The other thing I want to say is, that’s the ransomware. The actual wire fraud losses are becoming much, much higher because of the sophistication level. This is a major, major event. And the reason it ties back into that aggregation piece we talked about, you’re looking at between three and $30,000 policies in many cases. That’s why you should buy now. Even at a 100 or 150, or $300,000 type of policies. You’re looking at losses of $1 million, $10 million, $5 million. Those are not sustainable in the long term, and they will lead to increased pricing retentions, and much, much, much more restrictive terms. Next slide, please.
Paul King: So let’s keep going until we can get to our top 10 questions as we go to the next slide. Here we go. Next one up. Steve, you want to hit the E&O there on top?
Stephen Tuuk: Yeah, in E&O coverage. Typically, these are the questions that I’m working on as a service provider, basically for law firms and title agencies and closing organizations. But it’s in the regular flow of your business.
Stephen Tuuk: What are the likely mistakes that you’re going to make? What are the likely mistakes that you’ve seen publicized? And how does my E&O, cyber and crime coverage pick that up? That’s a common theme that they all have to fit together. But what’s the ordinary standard loss that I could sustain, and our limit, it’s going to be adequate?
Stephen Tuuk: Will that policy stack actually, pick it up some place? As a customer, as an insurer, you just want to make sure that there’s something there in that coverage stack that makes sure that you don’t have to carry the full load of that loss all by yourself.
Stephen Tuuk: Take a look and ask yourself what are the new and emerging threats? The people that are on this call, on this Webinar are obviously starting to make that inquiry. If there’s any common idea or theme, it’s that we have to call our broker, service providers, or counsel to make sure that what we’re seeing or hearing about actually is being covered by the policies that we have in place.
Stephen Tuuk: A big question is always, what are the past and current enterprises? We can talk about that in terms of the affiliated groups or acquisitions, things that, or organizations that were in our past, and how do those actually come to play in the coverage that Errors and Omissions professional liability provides. On Cyber, Paul, I’ll turn it over to you.
Paul King: Sure. Thanks, Steve. Just to differentiate a little bit guys, Steve was focusing a lot on the questions, technical questions for the asking of your broker and your underwriter. And I don’t want to put words in Steve’s mouth. Obviously, you did a great job of focusing on a lot of those really key questions. From the cyber standpoint, there’s going to be a lot of overlap with those five. Again, read that with a cyber eye to it as well.
Paul King: And then on the cyber specific side, these are some thoughts that you need to take into account before even go into your carriers and discuss with your broker, etc, and you’re outside. You’re inside or outside counsel or both, but what are the insurance included in the policy? I know it’s not the easiest task a lot of times to get the organizational chart out, look at historical organizations, see where the flow is, see who’s covered. We go back to that vendor management piece as well. What’s being required from whom and why, and making sure that everyone that needs to be as much as humanly possible to understand and make sure who needs to be covered under the policy. Absolutely critical. It’s an Oldie but a Goldie and something that we see all of the time, especially with new and emergent language out there expanding who can be insured under a cyber policy.
Paul King: When was the last marketing scrub? You guys saw that list a few slides ago of a lot of the extensions that are occurring either like I said, because we’re negotiating them as causes into policies, or because they’re being added as endorsements. Do I have all the various types of phishing coverage that are available? In my wire fraud coverage, does it limit me to internal actors that are opposing as someone or could it be any vendor or any third party? How does that coverage react? Is there nonphysical for some of the folks on this call who may be handling goods as part of their offerings? They’re non-physical, but those kinds of deep dives into the bodily injury and property damage. Do we have bricking coverage that marketing scrub and updated as a form, especially given like we talked about there’s no uniformity.
Paul King: What should be identified and highlights and risk management standpoint? Your cyber and privacy considerations, cannot just stop at do I have coverage? That’s where we need to start. Then we need to understand what are we agreeing to be a contract with our providers? What are we having them evidence to us as far as their wherewithal from the cyber liability offset and insurance standpoint, etc? Do we know who to go to? Does our broker or inside or outside counsel, whomever else understand if we have particular IT security risks, do they have vendors and relationships that can help us with those things?
Paul King: And also, what if there was an event during the policy period. Everybody, we had an issue, there was a small breach, or we found out that someone was able to exploit the network, get in. There was no ex-filtration that we’ve found. Are we going to be able to get cyber insurance? The answers yes, by the way. It’s better to report. It’s better to understand. It’s better to be upfront about it because we’re not at a point yet where a loss causes a kick out automatically.
Paul King: And, of course, the risk management procedures that we have in place around cyber, this is getting into some of the more next-level type of considerations. That’s where we are now. Are we using biometric security access, certain points of the building within certain states? What does that mean? Are we using a behavioral predictive program which are becoming widespread? I know that sounds very Orwellian to make sure that the risk of the insider like we saw in cap one, just this last, what? 10 days to address that and know that someone may be trending that way. Those are some of the things besides just the insurance fees that they get to be considered as well at renewal.
Tyler Adams: Guys we have a couple of questions, so why don’t we just run through these steps to lowering risk here over the next minute or so, and then we’ll take a few questions.
Paul King: Steve, if you have anything you want to add here, but a couple of thoughts on this slide, but if you want to start my friend.
Stephen Tuuk: Yeah. I mean, Prevention and Risk Management. Approaching it just from professional lines, okay, the E&O type coverage. There are a lot of things that now a closing agent should have in place in terms of protecting the people that they deal with. I’m approaching that with that lens, and implementing a well-documented, well-crafted response plan is certainly a part of that. In other words, having automated solutions and automated checks is an important part of showing up for business on Monday morning. The question I would ask everybody is, “Do you have those things? Do you have the people, the process, the partners in place that at least limit to the best extent you possibly can, the losses that you might incur based on what you’ve just seen in this presentation.”
Stephen Tuuk: And obviously, CertifID comes into that. Obviously, things like automated solutions are part of that. And so I’d encourage everybody to approach their business and operations with that sort of future view to the standard of care that you have to provide. Paul? Comments?
Paul King: Yeah. Steve, to your point, I think that it’s great, number one. Number two, all the things that you just mentioned, all the things that we’re listing in the first two major bullets up top, the prevention, the risk management piece, etc. Those are all things that A, if you’re buying cyber right now, you have or should have in theory access to from your carrier if you’re looking at a modern setup at a baseline level to get you started. What you need to have though, is an understanding that those tools exist. Understand how to access those tools.
Paul King: Understand that if you need something above and beyond to get to those pieces that Steve was talking about, that you have a broker or a counsel, or both or someone that can point you in the right direction of how these things, because again, looking at it, if it’s rudimentary, or if it’s starting within the organization, it seems daunting. It should not be, and there are ways, Steve’s here, I’m here, others are here to help facilitate putting these prevention risk management functions in place as are the carriers and others who, let’s face it, have a vested interest in seeing that you do.
Stephen Tuuk: Now I’m moving on to slide two. Obtaining explicit and coordinated coverages. I would certainly encourage everyone to take a look not only at this slide, but also ask questions about what that would look like, and be explicit about the fact that you want a coverage for the known risks that you have including wire fraud. A policy I’ve seen, difference in condition coverage, can have the effect of expanding the limit that’s available. Looking at your limits, frankly is probably the next step. We’re going to encourage everybody to make sure that there’s an adequate limit for each of the items that are listed not only on your cyber policy, but also more broadly on your Errors and Omissions policy.
Paul King: The areas, especially to this slide, and particularly on wire transfer, particularly that fishing business email compromise, wire transfer that I know we’ve spoken a lot about on the call, and as a focus for everybody here, you need to coordinate your cyber policy, and your crime policy. You need to understand, especially as Steve talked about with increasing limit, where you’re going to have the best ability to increase limit, and where you’re going to have the best ability to customize your language.
Paul King: The little hint on that is they may not be the same between the crime and the cyber. Most of the time they’re not, so you need to figure out what’s the optimal tapping in of limit, where, based on retention, based on terms and conditions, and then structuring the other policies to provide coverage, whether it be an excess position, whether it be a DIC position that Steve mentioned, and a couple of other items that potentially could be available, whether it be overlap with cyber, and K&R, and ransomware, or property in a BI situation. You need to be aware of where the overlaps are when looking at higher limits.
Stephen Tuuk: With that, I’ll turn it over to Tyler for the questions and wrap up.
Tyler Adams: Sure. Thank you all for staying on. Apologies for running a little bit over, but since we had some good questions come in, we’ll take a little bit of to answer them if you’re able to stay on. The first question that we had that came through was, “Due to cyber policies being so new and so different, how does a person check their policies, apples to apples?”
Stephen Tuuk: Paul, I’ll turn that over to you.
Paul King: Sure. Thanks, Steve. The easiest answer to that one guys is, there are certain areas, certain critical areas. We looked at some of those common coverage clauses, and we looked at some of the items that we said were more emergent. You take lists such as those, and you start comparing on a very high level. Then the next piece is, and so, that’s really where the majority of the analysis is going to be at the moment. Do you have X coverage grant? When you talk about in a much more mature market like an EPL, or it would point practice liability, or prime or some others, which has ISO forms, it’s easy to do the apple-to-apple. I hate to say it, but you can maybe get apple to cranapple maybe, as far as comparisons go when you get down into the nitty-gritty, but because there is no standardization, you are looking at headline, header terms, and then the differences in differentiation between the forms can oftentimes be in the language contained in those clauses. Steve, other thoughts there?
Stephen Tuuk: Yeah, I think look at the relatively plain vanilla activity that is going on in your business, and then match that to the definition is step one. We can all consider remote possibilities. We can all consider the esoteric situations, but go back to the ordinary and regular activity and see if that is covered to your satisfaction. I think you’ll see more standardization down the road. We’re just not there yet. Tyler?
Tyler Adams: All right. Yep, next question. We recently renewed our cyber insurance. Our current carrier has reduced coverage per incident from $250,000 to $50,000, which is not sufficient. But our agent has been unable to locate coverage at a higher amount. Is that your experience too? Or is higher per incident coverage available?
Paul King: I hate to say it this way, but the market is, there are some classes, there are whether classes of business, and there are some individual firms, because of their individual risk profile that are seeing some decreases in the market. Not nearly as common as say public DNO or IPO, DNO coverage at the moment, which is a rapidly hardening market. But when it comes to the cyber piece, there are some cases where that that is playing out.
Paul King: Now, that being said, whether it sounds like that may have been a situation whether this is similar to cybercrime, and if that is the case, i.e. wire fraud, type of losses business email compromise, phishing when we’re talking about social engineering. There may be some alternate coverage available via the crime policy, so I would explore there. I would also look and see if perhaps they are manipulating the retention size on any of these coverages that you’re seeing a decrease in, especially if there was a loss in the past recently as an impact on the availability of limit.
Stephen Tuuk: Yeah, I’ve seen two things go on, first, cutting the limit, or the limit on the sub limit, going from say 250 to 50, as an example, or more commonly, I’ve seen 250 go down to 100. The other thing is you can buy it back sometimes for a considerably higher price. Back up to the 250. The common push pull is to try to get it up to say $1 million so that you know that you have enough for any one single event.
Stephen Tuuk: But I see an awful lot of manipulation and I certainly empathize with the person asking the question because it is not easy to go down that far that quickly and look at some of the problems that are emerging at far greater rates and in far bigger numbers.
Paul King: To Steve’s point guys, I would say just one other thing, if it was an event-specific issue, like something happened, there was a loss, but then prompted the insurers, I’m only going to put up X. I think it at that point, you need to really look at other options that may be available whether retention wise, or whether it be some other form, that crime piece. It’s typically where we need to get those higher limits as Steve mentioned. There’s been more success in that recently than there has been on the cyber policy.
Stephen Tuuk: I’ll throw one other at least idea out there. The difference in condition coverage has been a way to extend it, particularly if there are other coverages available within the common suite of coverages. DIC becomes then, this backstop, and it operates not just like an umbrella policy, which adopts the underlying triggers that actually expands the scope of coverage, recognizing the pod of coverages that are already there. DIC is not something that’s ordinarily discussed in the marketplace, because it’s not an admitted cover, and so, I would at least encourage some thought towards that direction after the placement is made.
Tyler Adams: Great. All right. Well, since we’re running over, we’ll end it there. Just want to really thank Steve and Paul for both joining us today. Excellent Webinar, tons of great content. We will be sharing out a recording from this session later today. It will also be available on the CertifID website. And if you have any follow-up questions, please don’t hesitate to send them over to us, and we will try to get you answers and get those sent out as well. So, thanks again. I hope you all tune in next month for the CertifID monthly fraud briefing. Have a great day.
Paul King: Thanks, everyone.