I was able to participate recently in a discussion with my peers about how to place Cyber coverage in this difficult marketplace. Carriers are tightening up, claims are thru the roof, and it's hard enough to get basic information out of your Insured. It gets even harder when the information changes constantly and no answer seems to be good enough. Take a listen as our group talks about challenges and opportunities in the marketplace.
I was interviewed for an article in Benefits Pro regarding the SolarWinds breach.
Check on the article here.
Benefits Pro Article
An oldie but a goodie. See my article on the difference between ERISA, Fiduciary, Fidelity and Employee Benefit Liability. Commonly confused by distinctly different.
Listen to our panel on Cyber Underwriting for smaller risks. Here.
Cyber insurance penetration of the Small to Medium Enterprise (SME) segment is growing. This panel discusses key questions including how do we access this market, how do SME losses differ from larger accounts, and how are they different to underwrite.
How to Choose Your Insurance Broker
Monica Minkel, RPLU, MLIS
All businesses need insurance. While there are a few insurance companies in certain areas or industries that are ‘direct writers’, – which means the carrier works directly with the Insured – most businesses use a broker or an intermediary to get to the various insurance carriers. The need for a broker creates the challenge of choosing the right broker and knowing how to evaluate your representation.
The insurance broker has two very important responsibilities. The first responsibility is knowing your company and your exposures. The second responsibility is knowing the marketplace and the carriers. Without knowing your needs, the broker will not be able to advocate for you and if they don’t know the marketplace, then they will struggle to find the right carrier or products to meet your needs. When you can overcome the very initial basics of knowing your company and knowing the market, how do you then sort out the good from the bad? Anyone can sell you a policy. How can you make a good decision on the right partner?
Below you will find a very simple matrix built on the following concepts. It seems to me that there are five key areas that I use in making my own decisions when evaluating a business vendor. I see customers using these same criteria as they make their own business vendor decisions.
1. Likability – we all want to work with people we enjoy. We will spend more time and provide more information if we have a good personal relationship. The likability factor is an important one because your team will be forced to interact with the broker’s team. It’s best if these people enjoy the experience. You need to know your team and they need to know you.
2. Competence/expertise – the team needs to have the basic competence to do the work and the requisite expertise in the areas that matter to you. If they’re not competent, then likability won’t be enough. Competence and expertise does not always mean having a huge book of similar clients (although that may help), but a strong understanding of the issues and some experience accomplishing your goals and objectives will go a long way.
3. Accessibility – you need access to the right people at the right time to be able to deal with day to day issues and also challenges or changes as they may arise. It’s great if they are competent and likable but if they don’t return your phone call, you probably won’t be happy. Look carefully at how many people are on the team and where they are located (geographically and strategically within the company). They need to be accessible to you but also to each other.
4. Approach to Risk – is the broker transactional or consultative? Are you being offered solutions to problems or products for sale. Does the broker’s approach to your risk management challenges align with your own? Products may change and people could shift, so it is important that the strategies of the companies be aligned. Growth and other changes to your company may impact your needs. Is the approach to risk one that will work for you now and in the future?
5. Process – consider the process for how a renewal is handled to how new products are developed and implemented. Any broker can provide a policy to you this year. Is there a process to make sure that your policy keeps up with your exposure? How are new exposures addressed and covered? The renewal process should be about discovery and updates not just renewing what you have. Is there a process for the day to day like issuing certificates and checking policies? The little things matter as much as the big ones. Don’t be afraid to ask questions about the minutia.
The reality is that there are many, many competent and capable brokers. In most cases, it is likely that any one of the brokers you may be considering could adequately place insurance for you. You deserve to work with a team you like. Companies change over time so any broker you engage should have a process to identify and address the changing needs of your company. In addition, any broker you engage should be able to update you and your coverage to keep up with changes in the marketplace (coverage and carriers). And it never hurts to have a team that is passionate or at least fiercely knowledgeable about your specific industry.
Here is a simple rating tool to help you with the process. Simply rate the brokers you interview from 1 to 4 (with 4 being the best and 1 being the worst) and add up the total. The broker with the highest number wins.
Need more help? Contact us at www.emergingrisks.net for additional support and analysis of your insurance needs.
Monica M. Minkel, RPLU, MLIS is Senior Vice President and Regional Director – MPS, for USI Insurance Services. Based in Denver, Colorado, Monica and her team provide service and support to clients primarily in the western United States. Her practice is focused exclusively on Directors & Officers Liability, Professional Liability, Cyber Liability and related products. She currently serves as Chair of the Southwest Chapter for the Professional Liability Underwriting Society, the premier leadership organization for Professional Liability insurance professionals.
Social Engineering is an ongoing issue. Sometimes called Cyber Crime, Impersonation Fraud, or Cyber Deception, the concept of Social Engineering is manipulation of an employee to voluntarily part with money. Think of it as a con man getting you to hand over your wallet.
Wikipedia defines Social Engineering:
Recently, I saw a claim from a law firm (names have been changed to protect the innocent. In August, The Firm had been 'engaged' by a Client (we'll call it Bob's Waffles) to collect a debt from another company (Jim's Syrup). The Firm sent an engagement letter to Bob's Waffles, which they signed. They accepted the case on contingency. The Firm then engaged in the debt collection process. On August 31, the Firm received a check from Jim's Syrup for $105,000 to settle the debt. On September 1, the Firm wired $101,000 to Bob's Waffles (the $105,000 less the $4,000 contingency that the Firm collected).
As I am sure you could have predicted, the check that was purported to be from Jim's Syrup has bounced. (They really should have waited for the check to clear the origin bank.) The Firm has paid out $101,000 to Bob's Waffles, who of course has stopped responding to any request for communication. This entire fraud took a very short time (total timeline is less than two weeks).
The items that are still unclear to me: Was Bob's Waffles a client before all this happened and was there any other relationship? (My guess is no.) Was Jim's Syrup a real company or one made up for the purpose of committing this fraud? (My guess is not a real company.) It sounds to me like someone duped the law firm into believing they were a real client and a real debtor when both were fake (and probably Nigerian princes).
Thankfully, through the wise and persistent efforts of our amazing production and service teams, the client has a high quality Cyber policy with Social Engineering including the Enhanced Cyber Crime coverage features. Policy has a $125,000 limit for Social Engineering loss subject to a $5,000 retention.
We reported the claim.
And it looks like the loss will be covered. We triggered the "Claim" and "Financial Fraud" sections of the policy.
So, message to all of us:
1. Cyber Crime or Social Engineering in the Cyber policy may be very broad and may pick up losses that other policies will decline. And, 2, Law firms are probably being targeted for this kind of scam and very vulnerable.
Moral of the story: Don't buy a Cyber policy (or Crime policy) without this coverage.
And know what you are getting because policy language matters, a lot.
Often buyers of Employment Practices Liability (EPL) insurance don’t realize that most carriers provide a loss control / loss mitigation tool at no cost as part of the insurance policy. Typically, an explanation of the available services and how to access them is provided as the first page or an early page of the policy itself. The loss mitigation tools are almost universal among the leading EPL insurers today, yet many clients don’t know they are there and even fewer actually utilize these tools. This article will explore the reasons why policyholders fail to take advantage of these resources and how stakeholders offer better incentives to policyholders to affect a change in their habits.
What is available from a typical insurance company? Many insurance companies, Travelers for example, offer a 1-800 number to a specialist law firm. In Travelers' case, the firm is Jackson Lewis. The client can call Jackson Lewis for no cost and inquire about a specific situation they are facing or ask questions about policies or procedures that they have or should consider. There is no cost to the policyholder for the first hour of consultation. If the situation requires more than a simple phone consultation, then the policyholder can engage the law firm for additional resources. The initial consultation is designed to help the policyholder quickly address concerning items and seek professional representation rather than attempting to go it alone.
Online resources are also provided by the majority of carriers. Online resources can be limited to a few articles or can be weekly newsletters. These resources typically include sample employment policies or even a sample employee handbook. They may provide online training including sexual harassment training that is required by certain states. The training provided meets state standards and can reduce the need for the client to engage outside help or pay fees to a consultant or training company to provide this same training.
The EPL loss mitigation services don’t cost the client anything and they are included with every policy. Yet carriers have a very low adoption rate for these services. The carriers we interviewed estimate their usage rate at less than 5%. This is an estimate of 'ever used' not regularly used. Carriers have spent a great amount of time and money to prepare these resources and promote them to the brokerage community and to their policyholders. So why do clients fail to utilize tools that can reduce their chance of a claim and reduce the severity of a claim? See part 2 of this post coming soon.
So, AIG has come out with a product that is being called Crowdfunding Insurance. The product is Crowdfunding Fidelity and it is important to remember what Fidelity coverage is and is not. I've attached a marketing document that explains the product. (currently limited to Canada and the UK)
While there have been some ‘requests’ for this kind of a product, I feel that there is limited value in this approach. As a fidelity bond, this policy only covers the specific loss of dollars stolen by founders, not anything else and does not actually make the investors whole. A Fidelity Bond is designed to cover theft or embezzlement of money. A Fidelity policy does not address mismanagement, negligence, bad decision making, and general incompetence. While outright fraud is a possibility, my experience suggests that bad timing, bad decision making, and poor management are far more likely to cause the failure of a company than the theft of money. Remember that poor planning and bad spending habits (i.e. renting way too much space, overbuying inventory, paying your staff excessive salaries, wasting money on ineffective marketing, etc., etc., is NOT THEFT).
Further, the Crowdfunding Fidelity product is going to be subject to some kind of deductible. The deductible may be on a per offering/Issuer basis and that deductible will be borne by the platform that purchased the policy. The deductible will serve as a significant limitation on making an investor 'whole'.
I spoke with AIG leadership on this product more than a year ago and have awaited this product with baited breath. I have asked for the actual policy forms from AIG so I can review the limitations. The marketing document says this provides coverage “If Issuers fraudulent use of investment causes business to fail”. First, I think it will be difficult to prove ‘fraudulent use’ and I think that proving that the fraudulent use caused the ‘failure’ of the company will also be difficult to prove (who has the burden to provide that there were not other causes of the failure?).
In short, I think The AIG Crowdfunding Fidelity product is of limited value. Further, I am concerned that individual investors may have a false sense of security when making their investment because the scope is so narrow. The Crowdfunding Fidelity product may be more appropriate for something like a GoFundMe campaign but probably not appropriate at all for an equity platform.
As a platform, make sure you have a comprehensive Professional Liability product in place to address your potential liability for all of the services that you offer, including but not limited to your diligence process in selecting the offerings on your platform and the communication process related to the offerings themselves. (other insurance like Cyber and D&O are also important)
For those raising money on a platform, they should have a layer of coverage in place to address internal exposures like Employee Theft and basic business insurance coverages. Companies using a platform to raise equity or debt funding should consider D&O insurance as part of their risk transfer strategy.
Insurance does not take the place of quality policies, procedures, and diligence process. Rather, insurance is there to reduce the financial impact after the sprinklers go off.
I suspect that AIG will see limited adoption of this product which will probably discourage others from entering the market right away. There are a few groups of us that are pushing the insurance marketplace to develop insurance products that adequately address the insurable exposures of this emerging industry. I think that AIG has missed the mark with this.
Upon eventual receipt of the product, I will comment further. (have another discussion scheduled with AIG leadership soon)
Feel free to reach out directly to me to discuss further. Every platform and insurer needs quality insurance. This is probably not it.
Re-posting an update from an interesting source
Exploring the concept of FinTech and where this is all going:
Monica M. Minkel, RPLU, MLIS, cyRM, CPLP has been working exclusively with Directors & Officers Liability, Professional Liability, Cyber Liability and related products for nearly 20 years. She started her interest in finance by loaning money to her mom at age 11 (complete with a loan agreement and competitive interest rate). She is passionate about all things in the financial industry and the way technology is changing the way capital markets function.