The non-standardized nature of cyber insurance and E&O insurance policy wording creates the opportunity to mold an individually tailored and responsive risk transfer tool.
One of the nuances of the cyber and errors and omissions insurance market is the lack of standardized policy forms. With the lack of a standard definition, the opportunity exists for policyholders to mold cover that is tailored to their business’s exposures, according to Aon’s report “Why Now is the Right Time to Customize Cyber and E&O Contracts”.
This landscape empowers risk buyers to negotiate a precise and clearly worded cyber and errors & omissions (E&O) policy.
Current supply and market conditions are combining to make it an ideal time for customization in the cyber and E&O market.
According to Aon’s Global Risk Management Survey, cyber attacks and data breaches continue to be the number one risk facing organizations globally. Even further, they are predicted to stay on top for the next three years, as costs of single data breaches reach all-time highs and ransomware attacks return with a vengeance.
Ransomware attacks rose 203% and cyber premium rates declined by 17 percent in Q3 2023, extending trends in each for a third consecutive quarter.
Overall buyer-friendly cyber market conditions have continued through Q3 2023, with greater competition and more capacity available (see Cybersecurity Spending Trends).
The Aon report emphasizes the current market opportunity for policyholders to tailor their cyber and Errors & Omissions (E&O) coverages to better fit their specific risk needs.
The key takeaways from the report:
- Non-Standardized Policy Wording: Unlike other policies with standardized wording, cyber and E&O forms present a unique opportunity for variance in policy wording, allowing for more tailored risk transfer tools.
- Favorable Market Conditions: Current market conditions are more favorable compared to recent years, making it an ideal time for organizations, with the help of their counsel, to customize their cyber and E&O policies.
- Early Start and Right Team: The report advises starting the policy negotiation process early, at least six months prior to renewal, and forming a comprehensive team that includes not just risk management professionals but also cybersecurity, data privacy teams, and legal experts.
- Cyber Risk Landscape: The report notes that cyber attacks and data breaches remain the top risk globally, with ransomware attacks and cyber premium rates showing significant trends in recent years.
- Customization Approach: Businesses are encouraged to analyze their specific industry and business risks to tailor policy language effectively. This includes a close examination of policy exclusions and managing terms like business interruption.
- E&O Coverage Points: For professional service companies, E&O cover is critical for business facilitation. The report suggests ensuring E&O policies address both risk transfer and business goals, including specific policy language requirements often demanded in customer contracts.
- Long-Term Partnerships with Insurers: Identifying insurers that understand an organization’s business risks and are willing to customize policy wording is crucial, especially considering the potential volatility in the market in the coming years.
- Rising Privacy Concerns: There is an increasing underwriting scrutiny around privacy exposures and data collection, including new regulations, which businesses need to consider in their policy customizations.
The report Challenges for Cyber Insurance Market’s Growth Potential concludes that given the dynamic nature of cyber risks and the evolving technology landscape, a high degree of customization in cyber and E&O policies is essential to ensure clarity and adequate coverage when it is most needed.
Randomsware frequency & cyber premium rates
The cyber and E&O market is favorable to buyers now but may become volatile over the next three to five years should loss frequency and severity continue to develop unfavorably in 2024.
It is therefore especially important that buyers identify the right long-term insurer that understands their business risks and is willing to customize policy wording to address exposures and incident response strategies.
Systemic risk remains a top concern for insurers. Carriers continue to evaluate, scrutinize and, in some instances, restrict coverage offered for critical infrastructure, systemic or correlated events, supply chain and other critical third-party dependencies, and war.
Privacy-related losses are mounting and becoming more severe as well. Underwriting scrutiny related to privacy exposures and data collection, including biometric information, pixel tracking, and new privacy and consumer protection regulations is increasing (see how Cyber Insurance Market Dynamics Changed Significantly).
Steps Toward Creating a Customized Cyber and E&O Policy
Complexity in the cyber and E&O market is only furthered by the dynamic appetites of cyber insurers and the constant evolution of technology risks. This results in regular changes to insuring agreements and exclusions.
The market can often be a moving target. Yet, as daunting as it may seem, the prospects of negotiating a cyber or E&O policy that’s specifically geared to a business’s exposures are good.
Buyers can enhance their chances for positive negotiations by following this advice:
- 1// Start early. Shaping cyber policy wording requires a collaborative discussion among key stakeholders as early as six months prior to renewal. This is critical because the team involved in evaluating exposures and loss scenarios will be large and varied.
- 2// Form the right team. The far-reaching consequences and intricacies surrounding technology risk require a team of colleagues that goes beyond risk management professionals. The team should include members of the cyber security and data privacy team, legal teams responsible for managing contracting, claims management and colleagues experienced with delivering business continuity plans.
- 3// Include experienced external partners. Having the right insurance professionals to assist in crafting appropriate policy language and negotiating with the insurer is important. Outside counsel may also be brought in to focus on policy drafting and interpretation.
- 4// Measure against business and industry cyber exposures. Policy language should be measured against the business and industry-specific exposures and loss or claim scenarios that are most concerning to the business. Identification of these scenarios, against which the policy wording will be tested, requires consideration of both frequency and severity of potential losses. This ensures that customization of the policy aligns with the organization’s risk appetite and risk management philosophy.
- 5// Analyze policy exclusions. Similarly, policy exclusions must be critically analyzed to determine whether losses and desired covered claims could be excluded. With the breadth of coverage available under cyber and E&O policies, claims and losses are typically multifaceted with both first- and third-party components.
- 6// Manage other policy terms, including business interruption. Other policy terms can be concerning to a business, including how business interruption losses will be calculated and presented. The base policy form often requires losses to be proven using a methodology that could be illogical or impossible for some organizations to navigate.
Consider These E&O Insurance Coverage Points
In addition to the risk transfer value of the policy, E&O cover is often key to business facilitation for professional service companies. Customer contracts regularly are revised to include E&O insurance requirements that go beyond minimum required limits and include specific policy language requirements.
Three common examples include: an additional insured status for the customer, a waiver of the insurer’s rights of subrogation, and the service provider’s insurance being primary/non-contributory to any other insurance, including the customer’s.
While E&O insurance policies can accommodate these requests, the policy language should remain aligned with the organization’s risk management philosophy and balance protecting the organization against facilitating business needs.
- Ensure E&O due diligence. E&O policies require a similar level of due diligence to ensure they address the risk transfer and business goals of the organization. The definition of professional services, which serves as the gatekeeper for all E&O policy coverage, is particularly important. Insurers will often push to have this definition be as narrow and specific as possible.
- Consider an alternative approach to defining policy services. An alternative for defining professional services involves requesting an omnibus definition. It contemplates all services contracted to be provided by the organization or any third party for which the organization is legally liable. While some insurers will be receptive to this definition, they will have heightened underwriting expectations. The policyholder should be intentional with how contractual risk management, business development, and conflict resolution are presented to the insurer. This is critical for securing the insurer’s support.
The base policy language in many E&O insurance policies may not strike the necessary balance and should be customized appropriately. Since this is different for every organization, it’s an area where collaboration between risk management, legal and business teams, alongside the insurance broker, is criticalChristopher Mee, Senior Vice President, E&O/Cyber Product Team, North America
Cyber and E&O insurance policies provide a broad array of coverage designed to address the myriad losses associated with cyber incidents and professional service risks. These policies are not one-size-fits-all.
They require a high degree of customization to ensure clarity and coverage when needed most.
AUTHORS: Darin McMullen – E&O/Cyber Product Leader, Cyber Solutions, North America, Christopher Mee – Senior Vice President, E&O/Cyber Product Team, Cyber Solutions, North America, Pablo Constenla – Head of Cyber Coverage & Claims, Cyber Solutions, EMEA, Helen Chapman – Head of Coverage and Insurable Risk – Specialty Products, Global Broking Center and UK Commercial Risk, Dan Screene – Head of Cyber Coverage, Global Broking Center and UK Commercial Risk