Why the Simplex in Cyber Liability Needs to Change
Our industry loves acronyms and buzzwords. Allacronyms.com publishes a list of 1,086 insurance industry acronyms. Iwebhound.com has an acronym list that is even larger. You can tell when insurance people are talking to insurance people, because every other utterance is an acronym or an industry buzzword. We get so caught up in this world of expression that when we are explaining coverage to a customer, we have to slow down and use words like bodily injury instead of BI so the client can understand in more simple terms what we are trying to sell them. Clients like simple. I haven’t met one yet that doesn’t.
In the buzzword(s) department, we have worn out words like synergy, collaboration, value-added and cross-sell – all of which have burned through their useful effectiveness. One recently has popped up in the trade press that advertising and educational forums have been using for few years now called “simplexity.”
Simplexity is a merger of simple and complex. What is simple can be made complex and what is complex can be made simple. Webster dictionary doesn’t recognize it as a word yet, but Wikipedia sites sources of its possible origin. When we explain coverage to clients in the future, we can talk about the simplexity of each coverage form.
The world of cyber liability coverage forms in the marketplace is about as simplex as you can get right now. An instructor at a Certified Insurance Counselor James K. Ruble Seminar last year described the coverage forms available as the “Wild, Wild, West of Insurance.”
With more than 60 standalone policy forms in the market and countless additional endorsements that offer some stripped-down coverages in the first- and third-party coverages, cyber liability is readily available for sale. You can read trade journal articles weekly about the need for customers to buy cyber liability and the comments from industry professionals about not understanding why more customers do not see the light and purchase coverage. Customers won’t buy what they don’t understand.
Cyber liability forms are mostly non-admitted paper, claims-made with retro dates. Some coverages pay on behalf of and some reimburse you, some cover notification costs up to a dollar amount and others have a number of notified individuals cap and deductible for notification costs.
When comparing coverage with one carrier versus another, as independent agents will do, many times it is difficult to get past the first- and third-party coverage description headings to get to the forms to do a quality job of coverage comparison for clients. We’ve made it too simplex and complex, and we need to move quickly as an industry to simple.
The arguments presented for why we don’t have greater standardization of coverage descriptions and language in cyber liability that do not hold water any longer. Here’s why:
- It’s still a relatively new coverage, so coverage is evolving. It’s not a new coverage. Cyber liability had its origin in the late 1980s and plenty of carrier activity in introducing policy forms during the past 15 years.
- It’s a professional lines form and there is no ISO to standardize language.The professional lines industry has been able to standardize descriptions of coverage such as directors and officers policies using Side A, B, C and excess Side A successfully for many years now.
- Carriers want to differentiate themselves from their competitors. They can with breach support services, claims handling, loss prevention, pricing and financing terms, limits, ease of doing business and a coverage form in simple-to-understand language.
We can start by standardizing the coverage descriptions for first- and third-party coverages.
On page 20, there is a chart showing four leading writers of cyber liability and their coverage description headers for first- and third-party coverages, taken from the online brochures we put in front of customers. Upon closer investigation of the coverage forms themselves, some of the insuring agreements that were expanded to 10 by carriers A and C are included in the insuring agreements of carriers B and D – they are just not as obvious until you dig more deeply into the form. You may have lost your customer already by showing them the chart or even two of these brochures before you’ve had a chance to get into the forms.
Cyber forms have different triggers of coverage for data breaches. Some have a specific trigger of coverage by a violation of a federal or state law, while others are much broader and can be triggered by a suspected breach. You have to go to the forms to figure out the triggers. We need to take a step back as an industry and make the descriptions of coverage easier to understand first – then work on standardizing coverage language.
We have already successfully done this with so many other lines of insurance. In standard lines commercial insurance, buildings are buildings, business income is business income, comprehensive and collision on auto are known industrywide as the same coverage descriptions.
The professional lines industry has also had some success in standardizing the basic coverages and descriptions of coverage for D&O, employment practices liability and fiduciary liability. While the professional lines industry does not have an ISO to write suggested forms and gather statistics, there are industry practice and educational groups such as the Professional Liability Underwriting Society (PLUS) that can help push standardization.
Standardization of coverage description and coverage language may be easier said than done, right? Issues such as refiling forms with states cannot be overlooked. In time, other lines of business in commercial insurance have worked through these issues, and the groups that have successfully achieved this in the past need to find ways to get this done on cyber insurance.
The need for cyber coverage is obvious. The market’s capacity and competition for cyber liability is robust – many sellers and many buyers. There’s no oligopoly, monopsony or monopoly on product availability and supply. Yet there are still more first-time potential buyers of cyber insurance in the market than there are renewal buyers. Why is this still the case when we have privacy laws in 48 states and many federal laws that can result in suits against our customers? First-time buyers will tell you they want to think about the presentation you just made to them. The truth is they won’t buy what they don’t understand.
Complex to Simple
When we simplify form and language, more agents will understand how to sell this product and more clients will purchase. Carriers want these first-time purchasers. Standardizing language might help competition and movement more, and competition is healthy for our industry and our customers.
We want to see every customer that has a cyber-breach exposure buy coverage. The reasons why more clients have not purchased coverage yet are simplex. Coverage descriptions and language are not standardized but they can be and need to be. We need the leaders of our industry, carriers and professional lines experts that work in our industry to come together and take this line of business from complex to simple.
Carrier A
(10 Insuring Agreements)
- Theft & Fraud
- Extortion
- Compter Data Loss & Restoration
- Forensic Investigation
- Busines Interruption
- Crisis Management
- Regulatory Response
- Notification Costs
- Credit Monitoring
- Privacy Liability
Carrier B
(6 Insuring Agreements)
Carrier C
(10 Insuring Agreements)
- Crisis Management Event Expense
- Security Breach Remediation and Notification Expense
- Computer Program and Electronic Data
- Restoration Expense
- Computer Fraud
- Funds Transfer Fraud
- E-commerce Extortion
- Business Interruption & Additional Expense
- Network and Information Security Liability
- Communications and Media Liability
- Regulatory Defense Expenses, Including Fines & Penalties
Carrier D
(8 Insuring Agreements)
- Network Asset Damage
- Network Extortion
- Crisis Management
- Network Business Interruption
- Data Breach Liability
- Privacy Regulatory Proceedings
- Notifcation Costs