Expert Witness Testimony Blog | MSQ - Insurance Law

Part II. Some Substantive Contents of Cyber Policies

Some Substantive Contents of Cyber
Policies

Michael
Sean Quinn, Ph.D, J.D., Etc.

2630
Exposition Blvd #115

Austin,
Texas 78703

(o)
512-296-2594

mquinn@msqlaw.com

Some
General Propositions.

There are very few industry-wide standardized
cyber policies of any cyber species, but there are single-company uniformities
in some policies. This lack of the
generalized use of standardized policies is true even though insurers read
specimens of each others’ policies, and have joint insurer committees
discussing standardization, among many other topics.

Insurance companies have been forever
conservative about moving into new topical areas. It took hundreds of years to
move from coverage for protecting merchants from bandits while crossing the
desert to creating primitive maritime insurance. (The maritime portion of this type of
insurance was called “bottomry.”) Widely
used maritime insurance, as we know it, took more than a 1000+ years to
develop, then came commercial fire insurance a mere 250-300 years later. In there somewhere was burial insurance for
soldiers, which more or less died out; guild insurance on various perils, some
of which pretty much lived into the 20th century, if labor unions
are the progeny of guilds, and there are other components of this grand
commercial evolution.

General organizational features of cyber
policies have already been set forth. In
the cyber-world, some insuring agreements, some definitions, and some exclusions
are quite unique. Nevertheless, cyber liability policies have thematic similarities.
First, a generalized list for substantive components of first party policies
will be discussed presently. After that,
such a list will be presented for liability policies. Some policies are
liability policies only, others are first-party policies only. Some policies may contain all the covered
categories on the lists, a few of them have less than that, and some policies may
have only one.

Most cyber policies are package
policies. This means that there is more
than one form of coverage, and the insured can pick parts of them. This is not just a distinction between
first-party coverage and third-party coverage.
There may be, say 10 different liability coverages, and a customer—and
insured-to be—can often pick any one or more of them. (Sometimes the customer
cannot pick just one and not at least one or more. Imagine this: if a “near to being an insured”
pick Insuring Agreement #2 it must pick Insuring Agreement #6, as well.

Of course, (a) pure excess policies,
though not umbrella policies, and (b) reinsurance policies, whether the first
level of reinsurance, the “merely re,”
or the next level up, the “retro re,” must work the same way, though for
different reasons. For excess policies,
the insured under the primary policy is the insured under the excess and the
umbrella. Thus, one would expect that excess policies would match up with
primary policies, and that umbrella policies would also, to the extent they are
not really primary policies. And one
would expect that that a reinsurance policy would match up with the policy
being reinsured—at least for the most part. Neither of these expectations need
be perfectly descriptive; the unexpected “non-match-up” can happen and be planed,
agreed to, and rational.

Some
Structural Categories for First-Party Policies

These sorts of policies are designed to
help the insured to deal financially with covered events that unfortunately
happen to it and cause losses. The
nature of the potentially unfortunate event is throughout insurance called “the
risk,” and—throughout insurance—it is also called “the peril.”

I find this common usage confusing.
Guess what. The cause of my confusion is
the imperfect—indeed, inconsistent—pattern of usage. Someone might think the way it should be done
is this: a peril is a category of event, e.g., storms, for which there
is coverage, while the risk is a concrete event of the sort which is a
peril, i.e., the storm that occurred, where that event fits within the insuring
agreement, but still may fit into exclusion.
The trouble is that this suggestion does not correspond to common though
confused usage, and it does not set aside a term for the relationships between
the potentially injury causing event, the risk, and the probability that the
insured will sustain damages, i.e., its risk. And, of course, yet
another distinction would have to be drawn.
On the one hand, the insured has risks arising from simply what it does
and where it is done. If an insured
operates a fishing boat in the Gulf, it (i) faces the risk of storm; (ii) if there is a storm, and the insured is in
it, the insured faces the risk of destruction; (iii) and if the storm destroys the boat, the
insured faces the risk of going out of business. There are three related but different risks
here: (i) event risk, (ii) cause of damage risk, (iii) risk of loss. (Oh well.
Conceptual life goes on. Besides, there
may be ways to integrate the vocabularies to avoid the semantic tangles. Thus
instead of there being peril; there might be categories of risks.

In any case, here are categories of risks that can be covered, unfortunate events
that can be caused by these perils:

v nature
(actually a meta-category, or a peril-set, but never mind,

v foul ups of the policyholder (including both
negligence and some deliberate acts[i]
of the insured),

v those
of another insured on the policy,

v the policyholder’s employees

v one or more known or unknown outsiders,

v either
by their foul up(s) conjoined policyholder’s,

v the
deliberate acts of the strangers and perhaps others, as well.

Of
course, more or many more of these perils can participate in the same process
and/or at the same time in creating the same risks or causing the same losses. In
other words, causes of loss in the cyber world are just as combinatorial and
therefore as many as in the real world.

Both
insurers and insureds want to know the probability of any risk, though for
somewhat different reasons. And then they want to know the probability that a
risk, having occurred, will cause loss.

Here are some typical insurance
agreements in first-party cyber policies (or parts of policies):

§ The
network security of the insured is breached.

§ The
privacy components of the insured are breached.

§ A
regulatory proceeding is inflicted upon the insured.

§ The
insurer in subject to an adverse media event, e.g., an insured is defamed.

§ The
insured’s digital asserts are destroyed, damaged, or rendered unusable.

§ The
business income of the insured is reduced..

§ The
insured is subject to an extortion or X-napping.

§ The
insureds’ system is subject to negligent care of some sort:

o
Design

o
Construction

o
Maintenance

o
Securitization,

o
and so forth

The reader will note
that many of the covered categories, though not all, turn up on both the
first-party cyber policies and the third-party policies,

Of course, there is a whole variety
of definitions. Some commonly used terms
are defined: “Damages,” for example; “Claims” for another. Many of these terms and phrases are found in
real world policies, though the definitions are most often different. Almost
every term which is technical sounding and/or connected to something central in
the cyber world is defined. The definitions are “stacked,” meaning that for
many definitions that explicitly appear on the semantic surface of a policy, in
the insuring agreement, for example—there is at least one definition used in
it. And then for many of the second
level definition, there is a third, and so on.
Here are common examples of such terms: “Digital Assets” is like this,
as is “Electronic Publishing” along with “Network Security,” and many others.

Some
Corresponding Categories for Liability Policies

Here are some coverage categories for
cyber liability policies. The insured’s liability rests upon performing “wrongful
acts or omissions” (WAO [this abbreviation covering both the singular and the
plural, as called for]) This whole category rests upon the definition of
“wrongful act” and all of them are first-stage-triggers:

Ø WAO
injuring the network of another by dispatching “malicious codes,” and similar
“poisons.”

Ø WAO
causing invasion(s) of privacy.

Ø WAO
causing release of private information by another by taking, turning over,
distributing, or setting up others to do so.

Ø WAO
involving Internet media use.

Ø WAO
of cyber professionals and/or vendors of cyber-services,

Ø Performance
of any form of hacking, all of which are WAO’s, and/or

Ø Assisting
another (or others) who actually do the hacking.

In
any given policy, the definitions section and the exclusionary section are the
same for both first-party coverage and third-party coverage. This is not unusual in package policies

A
Few Elaborations.

There is more public concern and outrage
regarding privacy invasions and thefts than any of the others. There is also
more interest in these areas where liability insurance might be involved. Many of the urging one finds in the
advertising literature emphasize this topic.
It seems to me that sometimes the ads collapse together first-party
concerns with privacy violations with third-party concerns. The idea that
individuals might wish to buy special first-party insurance covering invasions of their own privacy
coming from the cyber world is unheard of, as yet, so as I know.

Nevertheless,
cyber-invasions of people and companies—actual inhabitants of the real, real-world are often categorized as “identity thefts,” and for good reason. Maybe a special first-party type coverage would be a good idea. Think of the marvelous subrogation cases it would generate.

Claims-Made
Policies

Cyber policies are all “claims-made”
policies, so far as I know. In general, this alone distinguishes the cyber
policies from most other liability policies, which tend to be occurrence-based.
In the latter, there can be covered injury that occurs during a policy period
but which is not reported to or against the insurer by the alleged victim until
after the policy period expires, sometimes a long time after; there may be
coverage in such instances mostly dependent on the nature of the injury and
other facts about what happened. (Think asbestos). This is not the way claims-made
policies work. For them, the claim usually must occur during the policy
period.

In spite of the above distinction, there
are many phases of claims under both claims-made policies in the so-called
real-world and in the co-called cyber-world. All of them contain the following
concepts:

Event (allegedly) causing injury (the
risk?),

The type category of which that event is
a type (the peril?)

The
injury or damage, sometimes called the “loss,”

The claim of alleged injury, and often a
demand for compensation, made to the insured or its conduit, and against the
insured (a communiqué of some sort, almost always written, but not always),

The notice by the insured to the
insurer, often also called a “claim”—a claim or demand for coverage (Many insurers try to insist,
prima facie, anyway, that the notice or
claim come from the insured and it usually that it must be in writing, though
not always.),

Adjustment, also often called a
settlement process

Resolution or denial.

Some Substantive
Contents of Cyber Policies

There are almost no industry-wide
standardized cyber policies yet, but there are single-company uniformities in
some policies. This lack of the
generalized use of standardized policies is true even though insurers read
specimens of each others’ policies, and have joint insurer committees
discussing standardization, among many other topics.

Some general organizational features of
cyber policies have already been mentioned.
In the cyber-world, some insuring agreements, some definitions, and some
exclusions are quite unique. Nevertheless, cyber liability policies have
thematic similarities. First, a generalized list for substantive components of
first party policies will be discussed presently. After that, such a list will be presented for
liability policies. Some policies are liability policies only, others are
first-party policies only. Some policies
may contain all the covered categories on the lists, a few of them have less
than that, and some policies may have only one.

Structural
Categories for First-Party Policies

These sorts of policies are designed to
help the insured to deal financially with covered events that unfortunately happen
to it and cause losses. The nature of
the unfortunate event is throughout insurance called “the risk.” These
unfortunate events can be caused by

v nature,

v foul ups of the policyholder (including both
negligence and some deliberate acts of the insured),

v those
of another insured on the policy,

v the policyholder’s employees

v one or more known or unknown outsiders,

v either
by their foul up(s) conjoined policyholder’s,

v the
deliberate acts of the strangers and perhaps others, as well.

In
other words, causes of loss in the cyber world are just as combinatorial and
therefore as many as in the real world.

Both
insurers and insureds want to know the probability of any risk, though for
somewhat different reasons.

A type of risk that is insured will be called
a “category of coverage” or some verbiage like that.

Here are some typical insurance
agreements in first-party cyber policies (or parts of policies):

§ The
network security of the insured is breached.

§ The
privacy components of the insured are breached.

§ A
regulatory proceeding is inflicted upon the insured.

§ The
insurer in subject to an adverse media event, e.g., an insured is defamed.

§ The
insured’s digital asserts are destroyed, damaged, or rendered unusable.

§ The
business income of the insured is reduced..

§ The
insured is subject to an extortion or X-napping.

§ The
insureds’ system is subject to negligent care of some sort:

o
Design

o
Construction

o
Maintenance

o
Securitization,

o
and so forth

The reader will note
that many of the covered categories, though not all, turn up on both the
first-party cyber policies and the third-party policies,

Corresponding
Coverage Categories for Some Liability Policies

Here are some coverage categories for
cyber liability policies. The insured’s liability rests upon performing
“wrongful acts or omissions” (“WAO” [this abbreviation covering both the
singular and the plural, as called for]) This whole category rests upon the
definition of “wrongful act”; in any case, however, here are some examples:

Ø WAO
injuring the network of another by dispatching “malicious codes,” and similar
“poisons.”

Ø WAO
causing invasion(s) of privacy.

Ø WAO
causing release of private information by another by taking, turning over,
distributing, or setting up others to do so.

Ø WAO
involving Internet media use.

Ø WAO
of cyber professionals and/or vendors of cyber-services,

Ø Performance
of any form of hacking, all of which are WAO’s, and/or

Ø Assisting
another (or others) who actually do the hacking.

[The reader should please keep in mind that Quinn Blogs are intended to be thought-stimulating [or, thought-provoking] tools only. The are not intended to be perfected essays. They are in-progress disquisitions only. They are not essays polished to completion. Maybe another time.]

UNDERWRITING & CYBER INSURANCE COMING OF AGE

UNDERWRITING
& CYBER INSURANCE COMING OF AGE

Michael
Sean Quinn
1300 West Lynn Street
Suite 208
Austin,
TX 78703
Phone:
(512) 296-2594
Cell Phone: (512 656-0403
Facsimile:
(512) 344-9466

All underwriting of individual policies,
or very similar contracts, can be divided into four parts. The parts are stacked on top of each
other. The parts are “Everyday
Underwriting,” “Mid-level Underwriting,” and “Creative Underwriting”; each of
these parts has its own internal range. Finally, at the very top, there is “Managerial
Underwriting.” (These names will no longer be in quotes.) The educational literature contains nothing systematic on underwriting in the so-called “cyber-world,” and little on it at all. In fact that literature is weak. See Joseph F. Mangan & Connor F. Harrison, UNDERWRITING PRINCIPLES (2nd Ed. 2000), Hank George, UNDERWRITING: WHAT EVERY PRODUCER MUST KNOW (2009), and Joseph F. Mangan and Connor Harrison, ADVANCED UNDERWRITING TECHNIQUES (2nd Ed. 2002).

Remember. An “individual policy” can
cover a whole fleet of entities, whether trucks, boats, planes, or anything
else. What’s in the fleet need not be even nearly identical, except to fall
within a given category. Even planes
which can also work as boats can fit three different fleets: planes, boats, and
motor vehicles. It can fit into all
three at once, and have different insurance for each separate function. Welcome to underwriting. (Also keep in mind that there is no such
thing as insurance under-righting; this should not be different, since, in
fact, there is now such thing at all.)

This essay is intended to outline
how systems of underwriting departments are structured, and what problems this
may have for insurers as they become more and more integrally active in the
so-called “cyber-world”—a widely used but wretched phrase, if ever there was
one. Here are some sample cyber underwriting questions. How should a policy
be designed that is to cover warranties on the design and manufacture of
digital systems? How should that kind of product liability be conceived for
liability insurance? How should storm
damage be insured, if at all, when it comes to various categories of cyber stuff?
How should the new categories be conceived, written, priced, advertised, and so
on? What about insurance for ransom demands pertaining network-napped systems?
Or for cyber extortion? What about hacking by employees? Or negligent losses by
employees of actual computers and thereby their “innards,” as it were? Or illegitimate use of computer systems by
employees whose uses accidentally create a hack-portal? And so on “forever.

Some of it is a bit more theoretical,
not to mention philosophical and prophetic.
Some might think that the higher levels of what I am suggesting is
nothing but intuitive, and a few might wish to characterize it as
speculation.
In addition, although virtually all levels of underwriting use “underwriting-centric software, the complexity of that material is directly proportional to the level of the underwriting function. Still, as of a year or so ago, specifically for it and it alone. Some underwriting groups simply designed or customized and used their own. This situation has made integrated communications difficult when different types of data are involved. The same difficulty applies when underwriters reach out for risk information, and the more intricate the more difficult. This kind of complexity and creativity is not the topic of this blog-essay, however, nothing more will be said about it. See, Gail McGriffin (at Ernst & Young), Underwriting Technologies Matures: The Birth and Rise. (www.insurancetech.com)

The “cyber world,” if that is what one
wishes to call it, is a “new world,” and so insurance and therefore insurers
and therefore underwriting must adapt and be transformed to grasp and handle its
wakes and probable (even possible) future causes of further wakes. Given the still existing alien nature of the
so-called cyber-world, it is no wonder that an acceptable characterization of
insurance underwriting in this rapidly changing environment.

That “world,” or that part of our world,
feeds underwriting all sorts of problems arising from all sorts of inescapable and
uncontrollable “quickeries”—birth (new product, new policies), hi-tech development
(and so new parts or new twists in policies), a spread in cyber-ness,
cyberality, cyber-centrality, in addition more and more insurance transformations
needed for the next round of cyber changes, all coming at an exponential
rate. In addition, all of this is taking
place in the vortex (or vortices) of what can best be called “stormy socio-politico-economic
surroundings.”

Where is all this information to come
from” The understandable literature?
Advisory consulting groups? Research groups? Risk management companies? Large firm intermediaries (aka agents and/or brokers), e.g., Aon, Marsh, Lockton, etc.? Some of
all this is to be found in reported legal decisions which are difficult for the
many to understand but partly on the basis of which, underwriting decisions
must be made.

It is no wonder that the underwriting
world feels (metaphorically speaking) grabbed, shaken, whipped, and nearly strangled
by the collected components its new-ish, still
strange and very alien environment. As learned and reliable insurance underwriting
has entering and is coming of age in so-called “cyber space,–really just
another name for “cyber-world”– it had and still has no consistent, reliable
and universalistic methodology for collecting, systematizing, blending, analyzing and using it to make
unquestionably reasonable reliable linguistic, semantic, structural, sales and
distribution decisions. Underwriting is
afflicted by the disorder of untrustworthy epistemology: no reliable
history, no rock solid actuarial foundations, only fragmentary and questionable
statistics, and the curse of having to use the language of “yesteryear” in our
whole new world. (A world in which most people are still stumbling around.)

Think about changes in underwriting when
commercial sailing vessels powered by wind changed to wheel driven ships
powered by burning wood, wood and then moved along by metal propellers powered
by diesel. Significantly, all of this
happened relatively slowly. Keep in mind that wind driven ships and insurance
lasted together, albeit sporadically for well over 1000 years. Paddle wheelers
stayed around for more than 100 years and were never really ocean-going. And
ships metal based in part have been with us for well more than 100 years.

Insurance underwriting has been
confronted with new problems slowly.
Even now it is confronting a new realm as cyber technology as
transformed maritime transportation and therefore maritime insurance. (The May 12, 2014 issue of BUSINESS INSURANCE
contains several articles on exactly this matter. The central one is entitled Marine Sector Struggles with Cyber Risks.)

Hull insurance in contemporary
commercial aviation has a set of cyber problems, even though the industry is
younger—probably around a 100 years or so—and involves different equipment
(obviously enough) and probably a more complex financial system, at least
because there are 1000s more separate flights every day than there are journeys
on the high seas, large lakes, deep rivers, and canals. No doubt the complexity of the cyber
equipment is more complex on airplanes than on even the largest ships, given
the speed at this the insured entities are traveling and where they are in
relation to the surface of the earth. Commercial
jets are a jungle of enormously high speed cyber systems. For discussions of
the insurance niche when it comes to commercial aviation, see Peter Greenberg, The Big Money Surprise About MH370, 169.7
FORTUNE 11-14 (May 19, 2014). [MH37 is the Malaysia Airline jet that was lost
in the Spring of 2014.) (This article
points out how fast hull insurance, as opposed to personal injury claims, including
death claim, is paid and how many
insurers may be involved in insuring on hull, e.g., one for some “ordinary
physical destruction” and one for terrorist caused destruction. Greenberg does not discuss reinsurance and
its levels. Nor does he draw a distinction between total and partial
destruction, and he says nothing about cyber complications. No doubt the cyber
category creates a whole new set of problems

At a more big picture, indeed, grand,
level, think about the industrial revolution and its aftermath. Property insurance began to come of age
slowly in the Eighteenth Century starting with the spread, as it were, of fire
insurance, that started in “dribs and drabs” in the previous century, and then
very slowly expanding out from there. It has now been called the “First
Industrial Revolution It came about in a
mere couple of hundred years, or—maybe—a little less. Then we had a “Second
Industrial Revolution”; it has lasted around 150 years

That seems fact to those of us that
studied economic history in university, but it is nothing compared to
what we are talking about as hi-tech history up to know and on into the
further. See Erik Brynjolfson &
Andrew McAfee, THE SECOND MACHINE AGE: WORK, PROGRESS, AND PROSPERITY IN A TIME
OF BRILLIANT TECHNOLOGIES (2011). The
see this as a “Third Industrial Revolution” but mostly call it the “Second
Machine Age”; they do this in order to emphasize that its essence is to produce
knowledge of a new kind and at a different rate.

While all of these observations and
speculations are true, two important relatively unrelated points should be
made. Senior level underwriters are faced a truly breath taking array of pressing
and significant problems, even outside the so-called cyber-world. I say “outside” because elements of the cyber
world now permeate the so-called real-world.

Consider for example the following. At first it seemed to many that cyber
policies would cover both “far off” cyber entities and the “close in” already
familiar entities. Material (or physical
objects) were the paradigm. But the mixture of categories did not work well for
a variety of reasons. As a result
insurer began trying not to pay for things like software when it was
damaged. Sometimes they succeeded, sometimes
not. After a while, they began to construct new exclusions, and they have
worked: most cyber entities got excluded.
Thereafter, some insurers began to exclude in so-called real-world
policies—like CGL derivatives–all coverage for event having principal causal
bases in so-called cyber-space. That has worked too. The trouble was an is that there had to be
policies that mixed the so-called different worlds together. No easy task.
It will get harder. How should robotic
devices be insured? All sorts of things
can happen to them. They could wreak all
sorts of havoc, whether at directions from some human or some other robot or by
some defect inside itself—whatever “inside” might mean.

The overall pressure an underwriters is
immense. As I contemplate their burden I am put in mind of the famous Munch
painting(s)—the one(s) on a bridge and other than the “Madonna.” In my view the
frontline underwriters should not only be lauded, they should be regarded as
something like heroes of a commercial and insurance revolution. (When I say “insurance revolution,” I am not
suggesting that fundamental principles will change; the “Principle of Fortuity”
will not change but a great deal that surrounds it will.)

Since this is the digital age, virtually
all of every underwriters work is paperless or nearly so. In addition, all underwriters work
together at some time and in some way.
“Round Table” discussions are common now; groups that talk to each other
with different ideas plus civil and suggestive criticism is always a source of
improved thinking.

Even today, they are almost always “vertical”
to some extent. This means that the less
experienced are sitting together with the more experienced and more
knowledgeable. This organization,
however, must be, and usually is conceived as a sort seminar, as well as other
things, so that ideas can be exchanged and debated and the less experienced and knowledgeable
can gain from the more so. Practical wisdom can sometimes be derived
from these sessions, whether they are regular (“Every Thursday morning at 7:30
both face to face and on Skype [or its progeny].”), instantaneous (“Good God.
We all need to talk about this. Get it
set up right quick.”) or irregularly as needed. How vertical practice will work in the cyber
world is not yet clear. One must be
inclined to think that at some level of cyber-techno-learning, and further
development of education, etc., plenty of such help will be integral for years
to come, especially given the speed of innovative development.

Now let’s take a look at the four
levels. As the paragraphs go along the
reader should keep in mind how changes in underwriting will function, how the
relationships between underwriting and adjusting will work, and how the setting
of reserves can be done when insurers are awash with rapidly moving tech
innovations.

The function of Everyday
Underwriters is to review routine applications, look for problems in them, seek
to correct the problems, accept or reject applications, handle pricing within
certain specifications, add some standard form endorsements, instructions for
issuing digital dec sheets, deal with intermediaries on routine matters, for
example, answering some relatively uncontroversial questions, dealing with adjusters
asking questions (for example, when one of them asks a question about the
company’s reading of the policy), have work reviewed, handle some audits of other
everyday underwriters, very seldom answer outside lawyers’ questions, even more
seldom attend deposition, quite rarely be deposed as to what s/he has done, and
perhaps rarest of all, be deposed as a 30(b)(6) type witness. And, of course,
there are other activities as well.

How routine this type of underwriter’s work is
depends upon his/her level of experience, accomplishment, intuitions,
articulateness, and so forth. As already
indicated, there is a range of activities this type of person performs.
As a general rule, intermediaries do not play a significant role in underwriting at this level, except to be a purchasing agent. Usually they are independent contractors, and that is the way insurers want to look at them. It may be difficult to convince others of that view if the agency has the same name as the insurer, at least roughly speaking. Consider an agency named “State Farm.”

Mid-level underwriters do much of the
same sort of thing, but for more complex policies. They have more authority to
add, subtract and alter endorsements. They also supervise Routine Underwriters
(and lower level “Midlevels”), provide advice, conduct Roundtable Discussion
Meetings, and report. They are managers, internal consultants, representatives from appropriate intermediaries, insurance thinkers,
etc. The size of policies with respect
to which they have substantial authority may be quite large, and their size is
likely to grow over time.

Their involvement in litigation is
higher than the Everyday Underwriter and quite often larger than that of the
underwriter of even the Creative Level.
At the same time it is true that in some litigated cases, the insured
seeks to exclude underwriting files from discovery, and they often succeed
except in quite large cases. All underwriters are “isolated” and “protected”
from policy holders, third parties, and the general public. The closest to the public is underwriter
education conferences, at least as a general rule. At the same time, it is
worth notice that some large underwriting operation have members that more or
less specialized in litigation involvement—as 31(b)(6) witnesses—and otherwise.

Creative underwriting is quite different
from the other two, and even separated from them, in many areas of
responsibility, except with respect to various kinds of leadership, teaching,
and dialogue. Creative underwriters are,
to a considerable extent, designers of a great many things. They too are thinkers—imaginative thinkers.

Often their work is done in groups, to some extent, some
of them internal to the company and some of them not. Those outside the company can include
companies that design standardized policies, industry representatives, other
insurers, reinsurers, brokers, groups of brokers, various businesses of
professional associations, sometimes interested governmental agencies,
sometimes lawyers, and occasionally academics, often from B-schools.

Here are some examples of their topics;
it is incomplete: new policies, new parts of new policies, revisions of old
policies and old parts, principles for conducting sound underwriting at various
levels, the types of activities to cyber-insure and how, what perils to insure
and how, what types of persons in those areas to avoid insuring, what
preconditions to impose, what continuous acts, omissions to require or forbid
during the coverage period, and so forth.

Their creative thinking has become
especially exercised in even more comprehensive ways with the coming of the
early stages of e-insurance in the populous cyber-world. If it needs
insurance—and it does—it will fall to the Creative Underwriters to design the
policies the new era, participate in creating a corporate structure for dealing
with what has been designed. Of course,
this creates ever closer relations with senior management of the insurer.

Naturally, Creative Underwriters are
connected—sometimes closely connected—with the finance side of the company,
regarding general conceptualizing of pricing and how to handle adjustments to
it and regarding how create, digitalize, and allocate reserves. One of the most interesting things about
Creative Underwriting in the cyber age is how to determine the basis point for
various types of cyber-insurance when there is vastly insufficient actuarial
and other information usable to rationally and confidentially ordain a reasonable
starting point for large segments of cyber realms; this is not guess work for
this or that policy;[i] it is a much larger group.

All of the same points apply to
formulating principles for setting reserves. Of course, doing that is a
function of senior, experienced adjusters.
But building its connection to pricing falls in part to the underwriting
department. Sometimes intermediaries can help.

Even trying to figure out how to think
about diverse sectors of the realm is guess work to a considerable extent.
Closely connected activities will be quite different with regards to
pricing. Consider liability coverage for
network injury as opposed to privacy intrusions through networks. Consider first-party coverage for extortion
versus “network-napping.” Of course, the
list goes on and on and on.
Before proceeding further there is a paradox involve in some activities of more sophisticated and “deeper” underwriters. Sometimes they like to conceive of themselves of not really having to understand the language of the policies they underwrite. How they can think of themselves that way is beyond me. One cannot decide whether to insure a prospective policyholder without understanding what the risks and perils are, what will be covered and what will not, as well as what kind of business the customer is in. Some of this cannot be done without having beliefs about the contents of the policy, and one cannot have that knowledge without having reasonable ideas about what the language of the policy means. One does not have to be right–though s/he usually will be. But one must have an semantic understanding, and it must be reasonable, if the underwriter’s job is to be well done. It is also impossible to price policies in reasonable ways without some probable understanding of what’s in the policy.
I have seen a particularly striking case of this paradox in testimony. Consider testimony that goes like this:
Q. As an underwriter would you agree with me that the terms of the policy control what is and what is not covered.
A. Yes, of course, although even if something is covered under the insuring agreement it may be “taken out,” so to speak, by an exclusion.
Given the underwriters answer, it is impossible for him to know what is covered and what is not. If s/he doesn’t know this, what is he actually doing. I wonder if the witness knows what a “sinecure”is.
There are other errors than can, as they say, pile-on when there are mistakes like this. For example, one of the things underwriters do is to “write” the policies. This activity may be actually writing them, writing part of them, putting them together, selectively picking them selectively off shelves, adding specialized endorsements to standard language (say, where there are multiple endorsements to be had), or review (and therefore to some extent editing them) what someone else has actually “written.” The broker (or intermediary) may be the “actual” writing entity. In all of these circumstances the underwriter must understand the language of the policy to a reasonable extent and face up to the fact that s/he may makes mistakes, hopefully reasonable ones.
It’s easy to understand what is worrying the underwriters when they testify on the contents of policies. They are trying to avoid getting the insurer stuck with the wrong meanings in the contract and maybe be guilty of insurer bad faith. But the alternative is even more devastating. Contracts are entities essentially involving language and if a party claims not to have a clue as to what the contract terms might mean, they look like incompetent business entities. The maxim “Policies holders are expected to know what is within their policies,” applies to insurers; “Insurers are required to know what is within their policies.” This requirement is not restricted claims adjusters. Indeed, an adjuster’s seeking meaning is one reason s/he might visit with an underwriter.

It must be conceded that large policies
covering enormous groups involve quite different amounts of information, the handling of it,
storage of it, help writing up use manuals, or the supervision of their
preparation and alterations, and (last here but never ever least) policy
pricing. The same three parts continue to exist, but the responsibilities start
higher, are more complex at virtually all levels, and require more massive
negotiation strategies, if not exactly goals.
Some health coverages, some municipal coverages, and some large group
coverage like professional coverages, e.g., coverage for physicians and perhaps
cyber-“architects” may be like that.

Other
levels of insurance may often be involved in underwriting thinking. In theory,
the three parts of underwriters apply to underwriting at the first level
reinsurance and (climbing up the ladder) to retrocession reinsurance, a species
of the first “re,” as well. Granted, the three parts of underwriting apply to the
two, only at a distance, conceptually speaking.
There are at least two reasons for this fact. One of them is that the some of the underwriting
work amongst both types of reinsures is derivative upon the underwriting of the
primary carriers. Another is the
existence of the “follow the form” and/or the “follow the settlement” clauses
found in contracts of reinsurance. A
third is that reinsurers do not usually have the large underwriting staffs of
big-time primary, and excess, carriers. (See Reinsurer Interest in Cyber Products, THE BETTERLEY REPORT BLOG ON SPECIALITY
INSURANCE PRODUCTS (May 13, 2013) (providing mention of the Reinsurance
Association of America on May 21 2013. There is a video attached. For a discussion of RAA, see Cynthia Lamar
and Bradley L. Kading, An Introduction to
the Reinsurance Association of America, REINSURANCE NEWS 17-22 (August
2004). Mangan and Harrison’s ADVANCED UNDERWRITING TECHNIQUES’ Chapter 1 is entitled “Reinsurance.”

One interesting feature of
cyber-policies, which can make the underwriting simpler, is that, while the really interesting
features of these policies, is their peculiarly cyber content, some of the
policies cover some ordinarily business risk problems, both internal and external.
None of them cover all of them. Early in this blog, there was reference to
aviation hull insurance. Other cyber policies—most of them–exclude all such
coverages and thereby encourage insureds to look elsewhere for that kind of
coverage, e.g., those covering real-world business organization problems. This
too was discussed earlier in this blog.

Obviously, there are some business
organizations that now prefer to have them integrated. That small visage of the primitive policies will
die completely out shortly, I conjecture, at least for larger commercial
entities, since it does not really help with risk management to integrate the
two into a single document, even if one of the areas is placed in an
endorsement. It’s simply harder to read,
and there is too much danger of what might be called “hostile interpretative
diversity.”

One last portrait. At least liability insurance policies can be divided into two claims categories. In one of them covered events must occur during the policy period, whereas in the other it can occur outside the policy period. Usually both types of policies fit together perfectly: auto crashes are like that. They happen on Day#1 and are reported that day or on Day#2, more or less. Policies that cover some types of injuries like asbestos bodily injury might be quite different: exposure to the injuring an covered peril on Days ##1-300 but manifestation of the injury (or something like it) not until Day #6014.

In contrast there are claims-made-policies, and they require at least that the injury from the covered peril be reported to the insurer during its policy period, and they often require both the cause of the injury and the injury itself to occur during the same policy period. (There are variation on this pattern where reports can come later, legal malpractice policies being one of them.)
Naturally, insurers prefer claims-made-policies to exposure-policies aka occurrence policies. Some years ago the industry tried to switch everything over to the system it preferred, the claim-made system. There was a public outcry, coming mostly through insurance regulators. Now, all the cyber policies of which I am aware are claims-made-policies. All of them also have variations virtually all of which can be added by endorsement, e.g., damaging event might happen a bit before the policy period and/or claim might be made slightly after the policy period. Determining how to handle these options and what to charge for them is a real underwriting headache in the world of cyber underwriting.
Now we come to what might be a nightmare when it comes. Sooner or later customers for cyber liability insurance will be asking for or demanding what I have been calling “exposure-policies.” There will be some real pressure on lots of insurers to begin using that form. The industry will resist. Some insurers might capitulate for the sake of premium dollars. Now. . ., that is an underwriting nightmare.
Not much has been said about Managerial Underwriting. Obviously, it will have to do with reinsurance at its various levels, ratemaking, Again see Mangan & Connor, ADVANCED UNDERWRITING TECHNIQUES, Chapter 2 and will overlap Creative Underwriting at various levels, most significantly designing underwriting policies, meaning not just this the policies themselves but policies of the insurance company as to property underwriting procedures. Id. at Chapter 4. At Managerial Underwriting goes higher in the “chain of command” the more it will become a kind of financial underwriting, and by this I do not mean insuring financial entities–that is done below–I mean the use of financial techniques and idea in designing underwriting function/department policies. Id. at Chapter 3.
Financial underwriting has at least two levels. The lower one is the organization and use of data–a cyber activity these days–thinking about different types of data, grasping how statistic and probability work, and so forth. A yet more advance level is understanding and/or working with the connection between contemporary insurance thinking and recent innovations in financial theory.
The financial dimension of underwriting if a changing field. Traditionally, it has been viewed as a determinate of actuarial success, experience, professional intuition, and good luck. Currently there are those who argue that insurance underwriting should be received as a financial activity. Eric Briys and Francois de Varenne, argued in their book INSURANCE FROM UNDERWRITING TO DERIVATIVES (Wiley 2001) that “[t]he contribution of financial economics to property-casualty insurance pricing is highly valuable. Indeed, it helps to push the traditional actuarial approach toward a more focused market orientation, and this is especially timely given the current emphasis on the convergence of of capital markets and insurance markets.” (p. 27).
For example, Briys and Varenne claim that “the insurance policy is the functional equivalent of a put option.” (p. 25). And they further claim that their new work of what I have called “managerial underwriting” natural event are being secularized and then being placed with investors in the form of derivative securities or structured notes.” (p. 31). Indeed, they say, “[t]he Chicago Board of Trade has launched several derivative contracts in which insurance risks are the underlying assets.” (Id., et passim.)*
In theory, at least, cyber insurance is an ideal place to develop this transformation. For one thing, there is no serious basis, much less, experience or tradition, of sound actuarial reasoning. For another, we have whole nearly new fields of insurance and therefore insurance underwriting. What a good place to start anew with conceptualizing and applies new ideas, dispensing new knowledge and forms of reasoning. For a general and less technical of the general ideas expounded by Briys and de Varenne, see their THE FISHERMAN AND THE RINOCEROS[: How International Finance Shapes Everyday Life] (1999).
*(If course, one cannot help but wonder how thinking has developed among sophisticated and finance savvy high-level underwriters following the 2008 financial disaster and the role of the derivatives in it.

It should be kept in mind, that some blogs are drafts of what may (or may not) become larger, different written work. They are designed to be just that: drafts, with room for improvement. There are also cyber-typing-tech problems here and there, e.g., I can’t always get lines to indent, as is illustrated in this very blog.

Part I. Some Cyber Policies: Structure and Organization: Comparisons

Michael
Sean Quinn, Ph.D, J.D., Etc.

1300 West Lynn St. #208

Austin,
Texas 78703

(o)
512-296-2594

mquinn@msqlaw.com

I. Claims-Made Policies In General

There is no substantial
difference between these requirements in cyber policies and real world
policies. All claims-made liability policies—including excess policies—begin
with similar concepts. Some liability claims-made policies as originally
written require that (i) the alleged injury asserted by the alleged victim
against the insured and (ii) the claim for compensation against the insured
must all occur during the policy period. In addition, the insured’s claim
notification to the insurer must also occur during the policy period. The requirement that the insured’s claim or
notification to the insurer be in writing is often waived.

·
Most claims-made policies have a policy
period lasting a year. Some of the
policies require that the injury causing event occurred during the policy period,
along with the alleged injury, the claims against the insured, and notification
to the insurer. This is a very difficult set of criteria to meet. Seldom do that many things occur during a
short period of time.

·
A second way a system specified in the
contract might work is that the claim is something made by the person or entity
asserting injury against the insured and the insured’s making that assertion
known to the insurer within the policy period.
In this system, there is no requirement that the injury occur during
the policy period. The injury would be required to occur during a specified
retroactive period. In other ways the
date of the beginning of the policy period would remain the same. Retroactive
periods are an add-on to a given policy that would be sold to the insurer to
modify the base policy by lengthening it.

·
A third way for a policy to work is that
the injury and the notice must both occur during the policy period. If this were the way the system worked, no
claim would have to be filed during the policy period. The insured would simply
be notifying the insurer of claims, which it believes may arise.

·
A fourth way for the contract-created
system to work is that there is an extension period during which the claim
and/or the reporting can happen after the policy period ends. This extension
comes after the termination date of the basic policy.

·
A fifth way it might work is that there
is an extension period “backward in time” so that at least one of the three
events required—the injury, the claim, and the notice–can occur during that
extension period. Usually that is the
alleged injury.

A sixth way that the system might work
is that there are extensions moving in both directions on the same policy.

These time limits and specifications are
common in both real-world policies and in the cyber-world. The expense is,
obviously, to some extent at least, determined by the length of times specified
in the extensions. Different extensions can involve different costs, and that
can happen on the same policy.

Often in real-world policies the
temporal size of the extensions is prima facie fixed by standard, antecedently
existing forms. These do not exist in the cyber world, but each insurer will
have its own forms. Of course, the extensions in real world appear in
endorsements, and they can be further extended.
Extensions deviating from the
generally received extension temporal specs found in the standard forms is on
the rare side.

Something similar is true in cyber
policies even without any industry-wide standardized forms. You would expect
there to be more deviation here regarding extensions in policies, but that is
not happening. The most reasonable guess is that there are not actuarial
statistics to make assorted extensions more reasonably acceptable. The same
standardized arrangements regarding extensions will, in the future, will likely
evolve in the context of cyber-insurance as it already appears in the real
world. For one thing, most of the
insurers producing cyber insurance policies also already produce real world
policies, e.g., Chubb, St. Paul, some AIG companies, Travelers, Liberty Mutual,
and others.

A carrier can refuse to extend any
claims-made policy, just like any other policy. They can also renew the policy
and refuse to renew either or both of the extension periods. Sometimes contracts of insurance, whether
real or cyber world, can impose contractual obligations on the insurer to renew
coverage. Obviously, all sorts of
insurance policies, including cyber policies, have monetary policy limits; some
reduce policy limits by defense costs; some have deductions; others have self-insured
retentions, and there are yet other commonalities. (I have never seen an
insurance policy of any kind without either deductions or self insured
retentions. I cannot recall running
across a policy with both, but in theory that is possible.)

II.
Policy
Structures: Cyber and Otherwise

For
hundreds of years, contracts of insurance have had the same structures. They
have not always been divided up in the same way, but they have been for maybe
100-150 years or more. Most of what is written here is as applicable to excess
policies, of whatever level, as it is to primary policies. The structure of
policies is quite simple:

(1)
Declarations.
One or more sections explicitly stating what coverages are included in the
policy, e.g., what perils are insured, who is insured, the upper limits on the
policy, as already said, the deductible, i.e., how much will be taken off what
the insurer will pay) or the self-insured retention (i.e., how much the insured
must pay before the insurer has any obligations),[i]
the price of the policy, the size of the policy, sometimes the name of the intermediary,
and various miscellaneous information, e.g., email addresses, normal usable
phone numbers, emergency numbers, and so forth, for the insured providing
notice to the insurer. In English
language lingo, they are called “dec sheets” or “dec pages.”

There is one substantively important
point mentioned here; it concerns what professionals are insured under a
policy. Sometimes on dec sheets there
are lists of what or who is insured. In cyber world policies, various kinds of
classes of professionals insured are set forth. This can be very important for
lawyers.

(2)
Insuring Agreements.
There are one or more specifications as to what is insured, e.g., an insuring
agreement, with a fully complete panoply of coverages, or a number of
different insuring agreements, each with one or very few insured perils
listed. The purpose of some of these insuring agreements is, as it were, to
provide the insurance customer with a shopping basket. These divisions make no
difference to the substance of the policy.

Sometimes, real world policies, usually first
party policies, are “all risk” policies, and others name the perils insured
under the policy; sometimes there is one such peril, sometimes more. In the universally established lingo of
insurance, the latter type is called a “named peril policy.” This
linguistic fact comes as a surprise to no one, nor does it matter. All
cyber-policies are named peril policies; none of them purport to be an all
risk policy, whether first-party or third party.

(3)
Package Policies,
Another way in which cyber-policies are like real-world policies is that they
can be “package” policies. In other words, they can list several insured
perils, and the insured may be purchasing all of them, some of them, or some
combination of them. There might be some
for liability coverage, and some for first-party coverage, or they might divide
between first and third party in given policies but then have different first
party perils in one of them and different third-party perils in the other. Cyber
policies are now, at least quite often, package policies to some degree.

One bit of information found in the
insuring agreements of cyber policies concerns how the insurer will compensate
the insured. (i) Some parts of some cyber policies are “pay on behalf of”
policies, e.g., when it comes to the costs of defense, but not other parts of
the policy. This obligation can stretch out over a whole policy and sometimes
it is restricted. (ii) Some sections of the same policy are reimbursement
sections and some may be reimbursement policies all the way through. There is no reason to doubt that some
cyber-liability-policies are and will be formulated in terms of reimbursement
even as to the duty to defend. Sometimes this is a good thing. If the insured
has plenty of money, can afford paying for a defense, and wants to keep all of
the policy limits for damages if they have to be paid at some time in the
unpredictable future, then a reimbursement arrangement for the duty to defend
may be rational. One can easily imagine such things applying to cyber-world
liability policies. (iii) “We-will-pay” terms for setting forth the
insurer’s duties are different yet; they may simply say the insurer “will pay”
for XYZ, but it is not said when.

(4)
Definitions.
All insuring agreements in cyber insurance policies use definitions. The amount
and complexity of policy definitions is a distinguishable feature of cyber
policies. Partly this is true because they are named policies, but there are
other reasons, as well. As we shall see in the next bullet point all
definitions used in insuring agreements are stacked. To expand the point, in the last 100-150
years, all the policies I can remember, have used definitions. As the decades have gone by, more and more
definitions get used. Thus, as of now, absolutely all insurance policies are
filled with and heavily depend upon definitions. Different signals in the
insuring agreement call attention to them: bold letters, underlining, quote
marks, italic, and perhaps others. Cyber
policies work the same way without exception.

In cyber contracts of insurance, there are many more definitions than
are usually found in real world policies—sometimes there are as many as 50 or
more. These definitions are often quite complex, difficult to understand, and structured
as stacks. Stacking means that one starts with the signaled definition; it is
connected to one or more other definitions which define that definition; and
those definitions are linked to even more definitions. This stacking can be
very extensive. Of course, there can be
(and are) stacks in real-world policies, but there are not so many definitions
in given stacks. Fortunately, not all
definitions are stacked or stacked to serious depths, but the definitions are
always complex.

(5)
Exclusions. All insurance
policies contain exclusions. In many 19th century policies, they were there but
not named such. Sometimes they were
built into the description of the peril and that is still done; sometimes they
were built into the definitions and that is still done. Like definitions, the
use of exclusions is more lengthy and more numerous in cyber-policies than in
real-world policies. By my observation, there may be as many as 50±, and the
definitions used in them are often stacked.
As one might expect, some of the definitions found in cyber-policies are
also found in real-world policies; this is true of both claims-made policies
and others. Here are several examples:

o
Deliberate conduct where the injury is
itself intended

o
Serious criminal conduct

o
Pollution causation

o
Wartime injuries, and more.

(6)
Conditions.
There is always a section for conditions.
Significantly, in the long existing common law of contract conditions
are distinct from other provisions in insurance policies. They are not really
statements of promised rights and duties.
They are simply descriptions of acts the insured must perform in order
to qualify for coverage. It is not a breach of contract for an insured not to
perform one of the requirements; the insurer has no right to performance; and the
insured has no duty to perform.
Nevertheless, setting aside subtleties, conditions are often treated as
covenants. This is not necessarily a bad
thing, since breaches of immaterial covenants by the insured do not end the
insurer’s duty to perform. This change
has proved especially helpful in dealing with the most notable policy
condition, the as-soon-as-practicable notice-to-the-insurer requirement.

In
any case, here are some conditions to be found in cyber policies. They may
differ a bit from policy to policy, but not much, and many of them resemble the
conditions to be found in real-world policies:

ü Notice
requirements explanations as to how to provide notice,

ü information
as to how losses of business income/profits (business interruption) are to be
calculated,

ü the
conduct of legal actions against the insured,

ü bankruptcy
problems,

ü subrogation
matters,

ü dispute
resolutions clause (usually arbitration),

ü requirement
of mediation,

ü mandatory
appraisal (triggered more often by insureds that insurers),

ü facts
to be disclosed to the insurer by the insured during policy period,

ü assignment
matters, permissible waivers (usually none),

ü cancellation
(how-to + consequences),

ü renewal
matters,

ü other
insurance matters,

ü that
the application is to be included in the policy and

ü is
warranted to be truthful and so forth.

It is important to see that none of
these conditions in a cyber policy is significantly different from that found
in a conditions section in real-world policies. None is conceptually different.
Instructions on how to give notice in a
complex high-tech case may be different from a simple requirement to give
simple notice, but the basic ideas are the same. Though conceptually similar,
specifications regarding the measurement of business interruption are different.
That is quite often left unstated in detail; the foundation of that type of
claim is different from most first-party contracts of insurance in the real
world, where the foundation for all such claims is physical injury to tangible
property, unlike what is required in the cyber world.

Conditions are usually regulations of
behavior. They do not usually say anything about the substance of the policy.
They are probably not intended to do that.
Sometimes substantive matters can be “hidden” there, and often
procedural matters have implications for substantive matters.

(7)
Extra Section(s).
Sometimes there are extra sections. In one cyber-liability-policy I studied
recently, there was an extra section devoted to the insurer’s duty to defend,
emphasizing limits and exclusions, or what were in effect exclusions. These
sections are nearly always found in liability policies, although they are
sometimes formulated in terms of reimbursement rather than the insurer paying
for the defense “on behalf of” the insured. That section of the policy was not
to be found in the insuring agreement where it usually is, nor was there
anything about that duty in the section containing definitions. I was and am
puzzled by this organization.

Another matter which often occurs in a
separate section is how loss adjustment is to be conducted. These sections identify what insureds are to
do about cooperating with adjusters and those on whom they depend, e.g.,
forensic types, accountants.

Sometimes, instead of finding the duty
to remediate, as much as reasonably possible, mentioned in the conditions
section, it is to be found here. These clauses are usually quite brief, even in
cyber policies. This is true even though
remediation may well be much more esoteric in dealing with cyber losses than with
most real-world cases, even those involving complex physical destruction.

Historically, there have been a
considerable number of disputes about remediation matters; insureds are well
advised to provide remediation plans to their insurers and try to get approval. Often they will be neither approved nor
rejected, and it will be said that it is for the insurer to determine what to
do and how to do it. The insured’s,
having submitted a remediation plan to the insurer, can have later significant
implications.

Yet another important matter that is
often to be found in a separate section, if not the conditions section, is how
to count the number of causes of loss, and how to think about situations
when there are groups of different causes.
The reason this is important is that most cyber policies require that
the relationship between cause and effect be “direct.” Some try to count this as the cause being the
sole cause of the effect. This is
nonsense, of course; the word “direct” has no such meaning. Significantly, the word “direct” and
“directness,” “result directly from,” and so forth are often not defined in
cyber policies.

[If enough is enough, perhaps there has already been a bit too much. Still the reader should please keep in mind that Quinn Blogs are intended to be thought-stimulating [or, thought-provoking] tools only. The are not intended to be perfected essays. They are in-progress disquisitions only. They are not essays polished to completion. Maybe another time.]

[i]
Robin Pearson, INSURING THE
INDUSTRIAL REVOLUTION: FIRE INSURANCE IN GREAT BRITAIN, 1700-1850 (2004). (Note
in wrong place.)0

“PORTAL-ING” THE INSURANCE INDUSTRY INTO THE CO-CALLED “CYBER WORLD”

THE INSURANCE INDUSTRY: SOME CURRENT PORTALS INTO

THE SO-CALLED “CYBER-WORLD”

Michael
Sean Quinn, Ph.D, J.D., Etc.

2630
Exposition Blvd #115

Austin,
Texas 78703

(o)
512-296-2594

mquinn@msqlaw.com

The Internet is full of reports about itself, as it were, and plenty of
similar sources to be found in the real world.
Treating them together, there are ads, mags (like Wired), books with new titles (some of which now have several
additions), textbooks, novels, articles, spiritual exhortations embracing
and/or condemning the new cyber technology, book reviews, blogs, and places to
chat. Many of them are about the so-called “real world” and its
components. Many are about the
Internet—and more expansively understood, the cyber world itself and its
contents.

There are many abbreviated and
superficial phony disquisitions on what little there is of cyber insurance law cases about which public
knowledge is available. One suspects that there are more, but settled subject
to confidentiality. Later in another Blog
you doubt you will be reading, some of them will be discussed.

There is WestLawNext and Nexus, where
the reported cases also are to be found and where unreported but published
opinions can be found. There is a sparse set of articles that say
almost nothing interesting about the reported cases, and say nothing at all
regarding cases conducted quietly, e,g., by arbitration, and/or about which
resolutions are not known, either because there are confidentiality agreements
or because there are agreements amongst the parties to avoid publicity.

Some law schools now have courses on
cyber law, using decided cases, in accordance with ancient tradition, and
statutes as well. (This point is true
even though some leading intellectuals sneer at the idea. See Frank A. Easterbrook, Cyberspace and the Law of the Horse, 1996
U. CHI. LEGAL FORUM. 207, the author now having sat as a Judge on the Seventh
Circuit for many years. The Judge’s
article caused substantial controversy being that of Professor Lawrence Lessig
[Harvard Law School], The Law of the
Horse: What Cyberlaw Might Teach, Research Publication No. 1999-05,
12/1999, the BERKMAN CENTER for INTERNET
& SOCIETY (downloadable from http://cyber.law.harvard.edu/publications).
However, the traditional law school courses about which Judge Easterbrook is
writing, so far, says nothing, or next
to it, about cyber insurance law. In some sense, some cyber insurance
principles and the law of the so-called real world are like that already taught in law schools, but not all of
it, and that is likely to diverge outward a bit, away from each other a little
here and there, over time. Some of these
divergences may well be significant.

There are also a few law review articles
and a few short commentaries by professional lawyers on the reported cases, but
there are no how-to manuals for lawyers, theoretical treatises.

Nor
are there any satires or parodies, yet.
Nor are there even any, so far as I can remember, BUSINESS INSURANCE-type
newspaper editorial page cartoons. (If
there are any, they are very, very rare. I have searched and searched, an
effort aided by the Internet.)

There is not much to be found on the
Net that is anything more than superficial
when it comes to the “dawn”—and it still is exactly that–of cyber insurance,
whether it is about creating the contents of such insurance policies, the law
of cyber-world insurance and its
applications as opposed to and/or distinct from the insurance law of the real-world
(assuming there is or will be one). As
already said, these observations derive from the fact that the cyber-insurance-industry
is new, and, so far, a quite, quite
small fraction of the existing and established gargantuan world-wide industry,

The difficulties insurers have in creating
this new industry in what some call a “New World,” derives from a world (largely) without
tangible property, not to mention human bodies to injure, neither health no
life insurance. (Of course, it is easy to imagine life insurance as part of a
video game; it could be named “Murder and Adjusting.” It is less clear how a
video game focusing on health insurance might work.) These difference, and others, make
systematic, reliable thinking difficult.
To be sure, there are pleadings, motions, and briefs—both at the trial
levels and at the appellate levels—to be found on cyber controversies, quite a
lot of them obtainable off Pacer and/or the Internet, on WestLawNext as well as
on LexisNexis. However, there are very few controversies that have made it to
court.

Some of the “literature” about insurance
and the cyber-world is informative, but most of it is shallow. They are really
ads set forth by businesses hawking services and other wares. Most of these come from insurance
intermediaries, but some come from other vendors, including law firms, as well
as risk management firms. The law firms
“newsletters” are much better for coverage aficionados than those of others
are.

The federal government is becoming
involved in this a little. There are two
published “discussion group” booklets.
One is called Cybersecurity Insurance
Workshop Readout Report. That
conference was held in November 2012.
And there was a second conference, a little less devoted to insurance,
held in May 2013, entitled Cyber Risk
Culture Roundtable Readout Report.

There are huge numbers of firms and different
sorts of businesses that present
themselves as knowledgeable, helpful, and wise about cyber-world insurance—able
to interpret policies accurately and with authority, able to recommend needed
coverages, and able to do (or help monitor) all sorts of forensic activities.
Some intermediaries are like this, some security consultants claim to be this,
and most contemporary risk managers say they do this, as well.

Significantly, more than a few insurers
are forming risk management subsidiaries and advisory groups on needed and
desirable security devices, some of which are preconditions for purchasing a
policy. Of course, it’s hard to do this
sort of thing without financial analysis, so some insurer subs are doing this
to, though usually for the stated purpose only.
So far, there is not a chorus of insureds complaining that much of this particular type of work—remember” risk
management services–is keyed to inducing customers to buying the sort of
insurance the principal part of the company sells.

Even
the more objective literature pretty much repeats what is already known or
which is intuitively obvious. There are exceptions, of course, such as the
proposition that 90%±(?) of data breaches and other problems are inflicted upon
smaller businesses—less than 100 employees and that a substantial percentage of
the causes of all such breaches whether of large companies, or small, involve
negligent acts or omissions by employees. Moreover, some publications state
that a similar percentage of costly intrusions into one’s network can be
avoided, if property security protections have been installed and managed
correctly

One
significant source on these topics and some like them is the annual Verizon report
for 2013 (its “2013 DATA BREACH INVESTIGATIONS REPORT) that, while most
breaches of security are outsider driven, there is often internal,
unintentional, merely negligent acts or omissions by company employees. (See id. p. 3) If one takes seriously the idea
of insurance for the conduct of employees we have a type of insurance that is
frequently not covered in “real-world” policies.

In any case, there are a goodly number
of available publications on the cyber
world general, conflict within it, conflicts about it, the nature of damages being caused, privacy being invaded, damages
from theft of personal information having swiped, and-on-and-on, there is
little about insurance. Thus, the
public is bombarded daily with brands
of new news about the sociological and economic revolutions, that components of
the so-called cyber-world are somehow us creating, that the tremendous profits
now generated on and by the Net that (and which will be “forever”) earned in
that world and that cyber catastrophes happen there on a weekly basis. The attack on Target near Christmas in 2013,
and the ostensibly separate one against Neiman-Marcus—are there class
difference in the “hackactivist” community–leave the public and commercial
entities that interact the public 100s to 1000s times as day, in a state of
bewilderment and fear. One of the messages being sent is: “You need to
buy cyber insurance.” Another one is:
“You must buy cyber insurance,” or else you will go into miserables
bankruptcy and getting sued by everyone in sight—shareholders, employees,
vendors, millions consumers, and governments, as well.” The more recent P.F.Chang invasion is more of the same. (By the say, for those of your more than mildly interested in these topics, I recommend you read “KREBSonSECURITY” frequently. It’s subtitle is “in-depth security news and investigation.”)

At the same time the interested public
is almost as often told that the principal causes of “data breaches” are
various human errors or system glitches, including: lost laptops, component
stolen from employees, such as flash drives, back-up tapes, CD-ROMs carrying unencrypted
information, emails with sensitive client and/or customer error sent
erroneously, data bases not effectively protected, unencrypted data in
transit from one organization to another.
Of course, out and out theft is different. Almost all of it comes from the outside, not
from employees or business partners, yet employee negligence often plays some
role, and sometimes employee competition, politics, or simply revenge plays some
role. Out and out theft also plays a
role, perhaps more than “hackery,”

Here is an important group of
questions: If commercial entities of all or most sources
could cut cyber losses by 90% how should
the need for cyber insurance be thought of?
On a scale of 1 to 10, where 1 is “not need at all” and 10 is “really
need very badly,” where would cyber insurance fall? How large should the self-retention be? Given that small business have losses much
more frequently than big business, or,
at least that is what is said, how should the need for cyber insurance be
thought of?
(Mindy Pollack, 2013: THE YEAR
OF DATA BREACH INSURANCE, Topics No. 21, p.10 (2013). Nothing further will be said about
these questions, and it will be assumed that everyone needs at least some
insurance now including some types of cyber insurance.

Perhaps the following can be used as a
starting point to reflect on these questions. Six years, or so, ago, a group of
the various PlayStation divisions and/or
interconnected companies had at least 77 million victimized customers by having
had significant pieces of their personal information stolen. (This is a
well-known story.) As one might expect,
these are the kinds of events class actions are made for, and–in this case–an
enormous insurance dispute. The PlayStation companies are found in the SONY
realm, so it sought coverage from Zurich Insurance, among others. One of this cases will be discussed
later. Did SONY’S having cyber insurance
help it, and if so, how much. (Oh yes!) How did the settlements with the other
insurer work? They didn’t, and thereon hangs a tale. I will discuss it in some other blog.

Perhaps the economic semi- or
pseudo-panic that surrounds commercial endeavors to sell various cyber
insurances is unnecessary. However, apparently strong punditry is seldom right,
as we all know from politics.
Probabilistic predictions about BIG events are never certain, if, for no
other reason, pundits and many others do not appreciate Quinn’s Self Explanatory
Refined Version of the nearly profound Rule, to wit:

There
are such “things” as unknown
unknowns, and sometimes some people
think they know that there is quiet
likely important events or trends which border on being known, not even close
to unknown. (Already applied once
herein.)

Of course, even if the way needs are
formulated or made overly colorful, probably too dramatic as a matter of
probability, and made on the basis of “facts” which are falsely alleged, mostly
innocently, it seldom a bad idea for large companies to buy insurances of
various sorts.

Quinn’s Second Law should be kept in
mind.

There
is no such thing as a single cause for a complex event.

The
world of insurance understands this very well.
It has been applied very little to analyzing the cyber-world. Perhaps this is a place where applicable
insurance ideas might lead a way.

“FOGS IN THE ‘CYBER ORDER'”

CYBER INSURANCE:
“FOGS IN THE ‘CYBER ORDER'”
SOME SOCIAL, ECONOMIC, FINANCIAL
& HISTORICAL PROBLEMS

Michael
Sean Quinn, Ph.D, J.D., Etc.

1300 West Lynn #208

Austin,
Texas 78703

(o)
512-296-2594

mquinn@msqlaw.com

Insurance, like many industries, has
struggled to keep pace with the complex super-rapid developments in the intangible cyber-world, some of the
dimensions of which are remarkable development of or from tangible computers,
the development of multiple X-pads, Y-tabs, and Z-“whatevers,” the race to new technologies in the provinces
of the Internet, and the “super-sonic, near-speed-of-light,” development of
uses of technologies in the cyber-world so advanced that “Pads” and “Tabs” seem
and may already be are obsolete as of June 30, 2014. (Consider what has been
going on in the collective search for the missing Malaysian airliner. Or,
consider the fact that we all can closely watch the van Eyk Project as it moves
along.

Computerized information systems and
electronic commerce have out-stripped the capacity of the legal system and
government to keep up—to regulate not only “the web,” but intranets, social
media, and e-commerce in general. Think
of Amazon; think of Stables; think of Target; think of X them Y then Z, and then on and on. The Internet now even has its own
highly sophisticated currencies, “tech-cur,” of which Bitcoin is now the best known
example.

This statement is not intended to
suggest that the insurance industry has failed recognized that insurance is desirable
and even necessary under many circumstances.
It is necessary for many customers, who become insureds, and it is
desirable for many commercial insurers, since e-will have an enormous role in
at least the century come. Indeed, all industries already use the various
“nets” conducting their businesses.
Again, think about the 2013“Target Incident” in 2013, or ponder the alleged hackery-caused ruination
of the Potash merger deal in Canada
several years ago, with alleged and unconfirmed hackings of seven, or so, law firms in Toronto
that were professionally involved in the deal. According to a sophisticated article in the Sunday Review section of the June 22, 2014 NYT, hacking and resistance to it is getting more sophisticated very quickly. The levels, the twists, the turns, the internationalism, the international politics, and on and one, are getting ungraspable, at least for many of us. (I don’t know lawyers who actually do, although many in large national law firms say that they do just that all the time.

The fact that the insurance industry is
not keeping up does not mean that insurers are unaware of many of the
possibilities for revenue and profits. It only means that the stages of
development are yet early, and it implies that there are many more “places” to
go. The decision making players are
conscious of the history of the industry.
Not charging a premium in the neighborhood of the “right premium,” not having enough carriers
involved in taking on the risk of loss, not having personnel or enough
personnel with the right sets of
knowledge, whether in
underwriting departments, adjustment department, or yet others, has
historically lead to numerous bankruptcies, and similar states. (And I haven’t even started to get to the
asbestos insurance catastrophe.)

Insurers
know that prudence in creating entirely new types of insurance—types that may
become a front running component of the industry– is required. There is no such thing as the instantaneous
development of prudence. All prudence is
developed relatively slowing. Anyone who
claims to have acquired prudence with respect to anything

Here is a concrete so-called cyber-world
example. So far as I can tell, there has been no such thing as (or only very rarely
such a thing as) “network-napping” to be thought of as an analogy to kidnapping.
There is such a thing as cyber extortion, but that is about what one might do
in the future. Not about what has already happened. There is such a thing as data (or
information) trolling, but it does not appear that there is much in the way of
“data-napping, at least, not yet. (Also,
I haven’t found much about instances of large scale invasive “data destruction,”
i.e., the destruction of the of the data of others.) If the NYT article just cited is correct, all of that has recently changed.

Of course, assuming that “data-napping,”
“network-napping,” “cyber napping [in general],” “data-destruction,” are all
perils, there will be, or already secretly is, insurance protecting insureds
from them. There is a cyber tort that is
the opposite of both “-napping” and “destruction”; that is the cyber
lockout. As the reader will know
instantly, that is real peril, and there will be insurance against it, as well. All “perils” are, virtually by definition in
the insurance industry, fortuities,
to some extent and in some significant ways.
Insurance is for the fortuitous. Indeed, a fundamental axiom of
insurance as a concept, if the Principle
of Fortuity, a phrase in the industry everyone knows embraces and respects.

It
is often said that cyber technologies and their uses are changing and growing
at breakneck speed—rather like a super engine racing boat with its remarkable
steering capacities. Consider this minor fact, reported in the Wall Street Journal on November 13,
2013: “In 1993. . ., there were only 34 million cellphone subscribers
world-wide, compared with more than 6.8 billion today.” (Lockton, Cyber Studies Decoded: A Report on Data
Risks, the Law, Risk Mitigation and Insurance p. 3 (February 2012). (This is a
many paged commercial pseudo-treatise, financed by a large source, containing
data often cited by others, with many citations to respectable sources, or so
it would appear. It is easily found on the internet.)

Of
course, it also must be kept in mind that the advances in cellphone technology
are also extraordinary. So far as the spread is concerned, I cannot walk down a
busy side walk without seeing more than ½ of my fellow walkers doing something
with their cellphone. I doubt that many of them are listening to Shostakovitch, discussing
him with their colleagues; many of them, for sure are observing and conversing
with their friends, or others. Consider how fast all this has happened and is
happening. (Is it relevant here to mention that the purchase and use of devices to lock cell phones shut if they appear to have been stolen?)

The
insurance industry is not like that. Its ontological constitution is not built for blindingly rapid change! By its very nature, it can’t keep up with the innovative speed found in (or, stimulating) the so-called “cyber world.” In the insurance industry, historically speaking, changes have been more like an aircraft carrier turning and not to speed ahead or turn like a huge engine speed
boat. Even the banking industry moves
more quickly. The role of insurance as
“risk guardians” requires this. The
nature of prudence in the area of protection—and that is what insurance is all
about, protecting insureds from determinate fractions of worrisome losses—does
not leap into consciousness and decision-making straight from a cloud.

To
continue this metaphor, insurers carry, as it were, in their heads, all sorts
of powerful and useful ideas with semi-details of them, and they will all be
considered in a variety of ways. This risk-shifting and “how-to-shift-risks”
thinking is necessary for the carriers, their balance
sheets, and their stockholders, for the stability of the industry, for the
policyholders, for others that may need the benefit of coverage (those if any
whom the policyholder has injured in a covered way), and for the purpose of
being relatively in line with public policy. Of course, as with any innovation,
there must be hypotheses about how to go, how to think, how to reserve, what to
do next, experiments, and how to deal with the inevitable and instructive
mistakes.

One
example of the slowness of insurers and catching up to the time is the problem
of gambling. Part of the analogy is financial-economic, and another part is
political. From the financial side, underwriting parts of the gambling business
is nerve racking. Even where gambling is legal and certainly as to online
gambling carriers have been slow to get involved in anything but routine
coverage, such as property insurance.

It’s
easy to see why. Even in insuring casino buildings, there are very special
risks and liability insurance is much more problematic. Setting premium prices, making sure that
application forms are sufficient, making sure that applications are filled out more-or-less
correctly, and trying to price premiums in a reasonable way, are all extra problems.

In the world of cyber insurance, both of these
types of insurance—first party and liability insurances–will have substantial
preconditions upon the issuance of policies, e.g., insurers are now and will
forever impose requirements on the character and extent of a customer’s
security system, whether physical or behavioral. Determining what these should be is a major
project” filled with ideas, debates, advice, more ideas, more debates, more
consultation, and intro-company politics.

In
addition, there is a historical-political set of problems. For centuries,
governments and churches regarded insurance as nothing but gambling, which I
think it actually is. It took a long
time for potential insurers to convince their governments, and hence regulators,
to either change their minds or look the other way and thereby soon to see the
social and economic benefits of having a heavily regulated insurance industry
and “un-see” the idea that all sorts of gambling ruins cultures and countries.
This unconscious collective concern in the
industry may be part of the reason that insurer’s are perhaps skittish about
moving forward in some areas of the cyber world. After all, everyone who studies insurance
learns a little bit about its history, and that little bit will likely include
the “gambling problem” in the business of insurance. Business “memories”
regarding regulation can last a very long time.

In any
case, the worries about governmental and institutional problems have made the
insurance industry at least somewhat attentive—even if this “watch” is not
visible on the surface and so is unconscious (to the extent that institutions
can be described as having something like mental states)–not only to what
insurance regulators do, but also the tendencies in and histories of
governmental actions, probabilities, tendencies, and what is these days called
“accountability,” as well as “unknown unknowns.” In major part, insurance exists to deal with
precisely these. They will be mentioned
again presently.

Even though insurers individually and
the industry as a whole have moved slowly “forever,” amazingly, in the last three or so
decades, the industry has thought hard and moved forward in what must be
regarded as a fair distance, especially when it is likened to an enormous
aircraft carrier. The enormous need for the
shifting of risks—usually in part–has grown immensely in e-commerce, where
that term includes all dimensions of businesses involved and the industry has
struggled to keep up with this need. That fact is reflected in the diversity of
modifiable coverages, large variation in cost, a substantial (though not
universal) lack of uniformity and standardization in formulating coverages, even
though there is close to uniformity in the topical areas for which there will
be coverage.
The insurance industry realizes where one of the next great sources of profit is to be found, and it now taking chances to get into and stay in the game. The mail problem, as indicated herein, is inattentiveness in pricing, not to mention new coverages and new languages. This having been said, it is worth noting, in passing, that
what coverages there are in a given policy is principally determined by the
insuring agreements, the definitions, and the exclusions, though not usually
the conditions. In cyber policies, at this point in history, though definitions
in all insurance policies are of cardinal importance, the definitions in cyber
policies are of even more significance than those found in so-called real world
policies. This is especially true for the definitions which are not identical to
or pretty much the same as a definition in a real world policy. After all,
experienced members of the insurance “community” are already familiar with
those definitions policies.

At the same time, a way to slow down the radical innovative process, it must be conceded
that the rapidity of the industries “infant”-to-“early adolescence” changes
have depended heavily on existing, reliable, and stable real world
policies. After all, first party
coverage in the cyber world resembles that found in the material world;
liability insurance is the same way; and so are conditions. One of the main differences is what is being
insured; and what is the nature of the injuries for which there may be coverage.
So, we have a chaotic business world, ambiguous yet as to what kind of insurance it needs, how much insurance it should have, what it should pay for it. Uncertainty as to pricing is acute. In addition to this apparently free market, there are conflicting economic currents, and at least as significant, there is hacking, little real evidence of how many will get hurt and for how much, and almost no established law about how to handle it where there are damages and liability. Of course, this portal is where insurance comes into the fog, and it is in a fog itself.

Login

Featured Book

The books shown are NOT affiliate links.
MSQ (site) does not receive any compensation for books listed or sold.
Books are shown for the reader's convenience only.

Part II. Some Substantive Contents of Cyber Policies

UNDERWRITING & CYBER INSURANCE COMING OF AGE

Part I. Some Cyber Policies: Structure and Organization: Comparisons

“PORTAL-ING” THE INSURANCE INDUSTRY INTO THE CO-CALLED “CYBER WORLD”

“FOGS IN THE ‘CYBER ORDER'”

Quinn Quotes

Login

Featured Book

A Civil Action

Book Genres

Recent Comments

Part II. Some Substantive Contents of Cyber Policies

UNDERWRITING & CYBER INSURANCE COMING OF AGE

Part I. Some Cyber Policies: Structure and Organization: Comparisons

“PORTAL-ING” THE INSURANCE INDUSTRY INTO THE CO-CALLED “CYBER WORLD”

“FOGS IN THE ‘CYBER ORDER'”

Quinn Quotes

Login

Featured Book

A Civil Action

Book Genres

Recent Comments

Newsletter