Cyber Exposure Liability
A new complexity has emerged in the already complex professional liability coverage market - cyber exposures. Most professionals, such as health care providers, lawyers, accountants, and many other professionals maintain highly sensitive records about their clients. Maintaining the confidentiality of those records is becoming more challenging. These records are accumulating in electronic storage devices and the cyber criminals are becoming more intent on stealing the valuable social security numbers and other damaging information.
The contributors to this month's cybercast explain that coverage for cyber exposure is no longer merely recommended for professionals but instead should be viewed as mandatory. The good news is that the professional market is ready, willing, and able to provide it.
Cyber exposure adds new complexity to an already complex type of insurance
By Joseph S. Harrington, CPCU
Networked technology allows professionals to provide even more knowledge and service to their clients, but it comes at a price.
The sensitive, confidential information clients share with their doctors, lawyers, accountants, and other professionals is essentially under siege from computer hackers, some backed by nation-states, which relentlessly search for vulnerabilities in information security.
While some data losses can lurk undetected for years, there is also a growing source of professional losses that can be immediately evident: ransomware.
"We're seeing ransomware becoming an increasing risk for professional service providers," says Gregory W. Leffard, president, Hanover Professional, at The Hanover Insurance Group.
"In this scam," he explains, "hackers hijack a professional's data and withhold it until a ransom is paid. This kind of activity can cause delays, lead to missed deadlines, and result in damage to the clients of professionals."
Leffard also finds that "phishing" scams are more common than ever, and hackers have learned how to get the unwitting support of a firm's staff in their quest for confidential information. Phishing attempts that use emails with corporate logos appear quaint when compared to the ability hackers now have to impersonate the tone and word use, as well as the sender, of email messages within organizations and among acquaintances.
"Good independent agents are talking frequently with their professional clients about their risks and taking steps to mitigate exposures," he says.
"Cyber" exposures are the most pressing new professional liability exposures for accountants, says Bill Rooney, senior underwriter for Philadelphia Insurance Companies.
"Accountants are among the professions that have full access to a client's personal information, including?Social Security numbers, bank account details, and personal health information," he says. "Historically, accountants maintained paper files for their clients and the exposure was limited to physical theft of their paperwork. However, in the past 15 years, most accountants have implemented digital files on their clients and are now exposed to the potential of a data breach."
This exposure has grown as more and more accounting firms provide payroll processing services. "Accountants have always provided this service," Rooney says, "but the increase in payroll software providers has allowed accountants to provide payroll services to more clients with low overhead. There are many potential exposures, mainly related to payroll tax filing and fraud."
Attorneys also face increased cyber concerns. In its 2015 annual survey report on Lawyers' Professional Liability Claims Trends, brokerage and consulting firm Ames & Gough characterizes cyber security as "an emerging area" of concern for law firms. Of the nine carriers surveyed (those providing coverage for most of the American Lawyer Top 100 firms), three reported a claim from a cyber or network security event.
The report adds, however, that "many predict that numerous other law firms have been hacked, but either aren't aware of it or don't want to go public."
Even though some coverage is available under typical lawyers professional liability policies for breach of a third party's data, Ames & Gough finds that "more firms are turning to the broader cover … offered by a stand-alone cyber liability policy."
For doctors, nurses, and other professionals, liability for the security of patient data is a growing concern for the practices they create or that employ them. Stephen Riemer, CEO of Hallandale, Florida-based Riemer Insurance Group, points out that cyber liability represents a big coverage issue for medical facilities, as well as other firms, including law firms, financial institutions, and more.
"Entities like these are responsible for personally identifiable information for thousands of customers," Riemer says. "An entity may be the victim of a data breach and not even be aware of it until years later."
For lawyers, according to the Ames & Gough report, professional liability insurance claim frequency has stabilized, but severity continues to rise. The report also points out that real estate-related claims have subsided since the housing collapse of a decade ago.
Those findings align with observations of Stephen van Wert, president and CEO of Founders Professional, a wholesale brokerage based in St. Petersburg, Florida. He notes that "the severity of claims continues to increase each year due to normal claims inflation," and adds that "claims coming from the real estate sector have slowed down compared to a few years ago, when they were quite strong."
Van Wert says that "many insurers have exited the one- and two-attorney space altogether, and American Bar Association statistics show that 49% of all lawyers in private practice are solo attorneys, so a large market segment is being adversely affected.
"Mid-sized firms are fairly flat in pricing, and large firms are seeing their rates go down," he adds. "Excess layers seem to be getting less expensive and, while it is still fairly uncommon to get a full $10 million limit from one carrier, there is more quota sharing to build up to limits of $10 million or more."
According to Ames & Gough, the leading source of professional liability claims against law firms remains what it has been for several years: conflict of interest claims that arise when firms incorporate new staff members from other firms. "Conflicts are a growing concern today," the firm's report states, "as increasing numbers of law firms seize opportunities for growth and expansion either through mergers and acquisitions or by bringing in lateral hires."
In its 2015 Benchmark Study of Healthcare Professional Liability Claims, Zurich Insurance reported findings similar to those made for other areas of professional liability coverage. "Claim frequency remains steady … and is projected to remain so in the near future," writes Patrick Moylan, Zurich's senior vice president and head of healthcare professional liability. "Average claim severity continues to increase with an annual trend of approximately 4% over the period 2007-2012."
He adds, "The percentage of claims closing with no payment remains stable and is consistent with results from other professional liability lines of business."
A significant change in the nature of medical professional liability exposures, however, emerges from a CNA report on Nurse Professional Liability Exposures. According to the report, claims arising from home health and hospice care increased from 8.9% of the sample in 2011 to 12.4% in 2015. Total paid indemnities for hospice and home care claims in 2015 ranked third among 14 categories of coverage in the survey, behind obstetrics and adult medical/surgical, but ahead of urgent care.
"Claim frequency has increased in non-hospital-based specialties … reflecting the overall migration of healthcare toward outpatient settings," the report states. "One consequence of this shift is that, more than ever, home health/hospice nurses must be in frequent communication with the patient's practitioner."
Accountants are seeing increased exposures as they become more integral participants in their clients' operations. "Many small businesses are turning to accounting firms to act in the capacity of a chief financial officer or controller," Rooney says. "Without a strong engagement letter that clearly defines the accountant's responsibilities, the firm can face a significant exposure that an accountant's professional liability (APL) policy is typically not structured to cover."
In particular, while most APL policies provide coverage under a sub-limit for acting as a director or officer of a nonprofit organization, there typically is no coverage for acting in a similar capacity for a for-profit enterprise.
Technology consulting is another group with professional liability exposures. "The increased number of such firms and the scope of their services led to development of policies specific to the exposures facing technology ?consultants," Rooney says.
"More computer consultants are developing proprietary software and customizing it to meet specific needs of their clients," he says. As a result, "technology consultants face product liability exposure with regard to their custom software development," as well as "significant professional liability exposures with regard to information security and contractual liability."
According to Riemer, demands for higher wages are driving an increase in the need for employment practices liability insurance (EPLI), with wage and hour defense coverage. "Employees are fighting back on wages," he says. "As a result, claims are rapidly increasing against most of our risks."
Given the overall growth in exposures, coupled with increasing capacity to assume those exposures, producers who sell professional liability coverage can still thrive, but they need to remain committed to what they've traditionally done: Know their clients, understand the business and professional demands on those clients, and be proactive in identifying and addressing emerging risks.
Cyber is one such risk or exposure. "Every accountant's risk should have some sort of cyber or privacy coverage, either through an endorsement or a separate policy," Rooney says. That's good advice for other professions as well, of course.
"For agents to sell cyber, they have to convey the need for insurance protection to the insured," Rooney adds. "Despite many publicized data breaches, many smaller accounting firms do not believe they will be the target of a breach." Again, other firms-particularly smaller ones-may exhibit similar ostrich-like tendencies.
Leffard of Hanover Professional points out that, as exposures increase, the professional liability market has expanded beyond the traditional classes of business, such as doctors and lawyers, to include other professions like real estate agents, home inspectors, and property managers.
"Independent agents can leverage tools and services offered by carriers to help manage and mitigate the complex risks that are specific to these clients," says Leffard. "Resources like risk management seminars, professional liability risk management hotlines, articles, guides, checklists, and engagement agreements can all help clients better protect their businesses."
He adds, "For carriers that are committed to helping their agents succeed, the goal should be to provide the right resources to manage the issue at hand, minimize any damage, and avoid a claim. Those who do this well will continue to thrive going forward, regardless of prevailing market conditions."
For more information:
Founders Professional - FoundersPro.com
Reimer Insurance Group - RiemerInsurance.com
Hanover Professional - Hanover.com