Innovations in information technology spur need for up-to-date underwriters

November 6, 2006 by

With rapid innovations in the field of information technology, types of underwriting that didn’t exist a few decades ago have become prominent today. For example, companies engaging in information technology businesses face daily exposures from theft or damage caused by hackers or viruses, performance delays, loss of intangible property, or the leak of customer information. To help explain some of the intricacies and potentials of underwriting information technology, Mary Saunders, information technology errors and omissions (E&O) product manager for Shand Morahan, joined Insurance Journal in the latest installment of the “How to Write” series on www.InsuranceJournal.com.

Saunders has been involved in IT since Shand started writing electric data processors back in 1985. According to her, the roots of IT reach back to when some of the big computers like ENIAC, short for Electronic Numerical Integrator and Computer, started in 1943. When those systems were completed in 1945, ENIAC could be reprogrammed to solve a range of computing problems. In the mid-1970s, advancements brought room-sized computers to the desktop with microprocessors and mini-processors. Then, the Apple II came along, which added floppy discs to the picture — quite an advancement for the time.

The Internet started by linking universities’ research departments to the U.S. Department of Defense. Since that time, the industry has brought down the cost of using computers and the Internet significantly, allowing businesses and individuals to “surf the Web.” The number of Internet hosts has grown tremendously in a few short years, from less than 1 million users shortly after it started to more than 1 billion, according to World Internet Stats’ tally as of June 30, 2006.

“IT professional liability has grown by a factor of 200 percent since the year 2000 and is estimated to continue to grow at an annual rate of 11 percent for the next two or three years,” Saunders said. “That is a pretty sizable growth for any class of professional liability.”

She said that includes a variety of professionals in the IT category. Data processors who use and store data, for example, may provide services in the area of medical file maintenance. They store and maintain overwhelming amounts of data, Saunders said, and “how critical that data is determines whether you have a high risk or low risk account. Medical data is pretty high. Old tax records, for example, may be pretty low.”

Much of the exposure is driven by the services and the application of the services, Saunders said. “If you consider a software designer and look at some of the applications, the first down markers on televised football games, for example, are created by a software designer. But other software products are a lot more critical to life and limb. A 911 service, for instance, is also a software application.” IT coverage can include Web site designers, Web site hosts, application service providers and a range of other professionals.

Software designers are people who do system analysis, Saunders added. “They come into an office to do a full system set up by listening to the needs [of customers] to figure out what is going to meet them.”

Types of IT firms
While IT providers and related businesses can earn millions to billions in revenue, Saunders said her company prefers to write smaller firms, up to $15 million to $25 million. IT companies, in general, tend to be entrepreneurial in spirit, often starting from people who previously have worked at larger firms, she noted. “They start small, with fewer than 15 employees, which is a very large growth class in FIC codes. I’d say firms in the 25 or fewer size category employ 50 percent of the country, and these are right in that segment,” Saunders said. “As far as geographic diversity, they are spread across the country.

“We have seen certain pockets with high tech development or research teams that spring off of a university,” she continued. “The University of Texas in Austin, for example, has a big research facility and springs off a lot of small businesses on a regular basis. Other universities are doing the same type of things now. And those universities could be anywhere. We’ve seen some in the south, southeast, Illinois, central Illinois and even in big cities as well, like San Francisco, New York and Chicago,” Saunders said.

Atypical losses?
With such varying types of businesses, Saunders said general liability coverage will not cover many typical IT losses. She cited some losses her company has dealt with.

In one instance, “we wrote a spreadsheet designer,” she said. An error in the spreadsheet the company created caused a construction company to under-bid a project by $250,000. The company claimed the software instructions were unclear enough to prevent an employee from making a mistake on defining a spreadsheet. It was held responsible for that $250,000.”

As another example, Saunders described a consulting firm that had hired an automated accounting office to write the specifications for the clients’ computer network. When the hardware and software were later found to be incompatible, the firm was sued. That resulted in a loss in excess of $100,000.

In another case, a manufacturer that hired a system integrator filed a $14.1 million lawsuit because its computer system was not architecturally compatible with the system it tried to integrate.

In another case, a firm recommended its client implement certain business application software, but failing to identify a bad sub-program subsequently caused problems in the internal database. The client alleged negligence and fraud, and sought punitive damages of $425,000. “We settled for something close to $250,000,” Saunders said.

And, “we had another example of a Web site hosting facility [that was] sued by a popular actress,” she noted. One of the sites the facility hosted overlaid the actresses’ head shot on the body of someone else. The hosting facility had a contract with the client that held it harmless, but Saunders said her company spent $200,000 defending the hosting facility and bringing the liability to the Web site owner.

“In these situations we do look at whether an account has general liability,” Saunders said. Yet none of the losses mentioned would have been covered by a general liability policy, even one without a professional services exclusion, she indicated. “The key elements that are required on a general liability policy just aren’t brought up in these claims. There isn’t bodily injury, there isn’t property damage, and there isn’t advertising or personal injury. So that really leaves IT professional firms out in the cold as far as coverage for any of these common types of losses they might have,” she said.

Rules governing IT
Furthermore, IT professionals need specialized coverage because the regulatory environment at the national and state level continually change and require monitoring. “I know that here in California there is quite an aggressive law regarding notification of people regarding their identity being exposed,” Saunders said. “Now there are 13 to 20 other states that have a similar law in the works or already on paper. That changes the profile for any IT professional that, for example, has a service where somebody’s data might accidentally be revealed to the public.”

Saunders said many IT requirements come from credit card companies as well. “Anyone who accepts a credit card is also subject to a wide standard of requirements. The [protocol] that is mandated by the credit card industry has 12 points, with each of them having about 20 subpoints. [It] is quite a complicated piece of work, and there is no grading process in compliance. It is a set standard — you either comply or you don’t.”

Understanding underwriting
Despite the intricacies of IT operations, it is not that difficult to underwrite IT firms once you do your homework, and the business can pay off, Saunders said. The first step, she said, is understanding what the exposures of the account are and placing the business into the framework of what the policy covers. Most professional liability policies for IT are a unique form conceived by each different company. “It’s pretty important to take a close look at the coverage provided in each form,” Saunders recommended. All the forms are either “claims made” or “claims made and reported.”

“Claims made’ policies are a little less restrictive on the reporting requirements, and therefore “claims made” is a little broader than “claims made and reported,” Saunders explained.

Additionally, agents should look to the terms to determine what the definition for damages is. “Often, a policy may be silent on punitive damages. There are also differences on policies as to whether they cover the reporting of an incident that may result in a claim, or whether they just take that information in and don’t necessarily trigger coverage,” Saunders said.

“Different companies define professional services in different ways,” she added. “Some take the definition from the insurer’s own application and use that as their definition of professional services on the policy.”

Tacking on new challenges
“Despite the challenges in understanding “techies” and their varying business operations, Saunders said she believes the category “presents a great opportunity for growth.”

“We are looking [to expand] our product line to add in some features to cover Internet liability, hackers liability and loss of the insured’s first- and third-party coverage by endorsement on our form,” she said. “There is a great deal of opportunity for growth — and a great deal of expansion to cover the insured.”