UNDERWRITING
& CYBER INSURANCE
COMING OF AGE

Michael
Sean Quinn

1300 West Lynn Street
Suite 208
Austin,
TX 78703

Phone:
(512) 296-2594

Cell Phone: (512 656-0403
Facsimile:
(512) 344-9466
All underwriting of individual policies,
or very similar contracts, can be divided into four parts.  The parts are stacked on top of each
other.  The parts are “Everyday
Underwriting,” “
Mid-level Underwriting,” and “Creative Underwriting”; each of
these parts has its own internal range. Finally, at the very top, there is “Managerial
Underwriting.”   (These names will no longer be in quotes.)  The educational literature contains nothing systematic on underwriting in the so-called “cyber-world,” and little on it at all. In fact that literature is weak.  See Joseph F. Mangan & Connor F. Harrison, UNDERWRITING PRINCIPLES (2nd Ed. 2000), Hank George, UNDERWRITING: WHAT EVERY PRODUCER MUST KNOW (2009), and Joseph F. Mangan and Connor Harrison, ADVANCED UNDERWRITING TECHNIQUES (2nd Ed. 2002).

Remember. An “individual policy” can
cover a whole fleet of entities, whether trucks, boats, planes, or anything
else. What’s in the fleet need not be even nearly identical, except to fall
within a given category.  Even planes
which can also work as boats can fit three different fleets: planes, boats, and
motor vehicles.  It can fit into all
three at once, and have different insurance for each separate function.  Welcome to underwriting.  (Also keep in mind that there is no such
thing as insurance under-righting; this should not be different, since, in
fact, there is now such thing at all.)

            This essay is intended to outline
how systems of underwriting departments are structured, and what problems this
may have for insurers as they become more and more integrally active in the
so-called “cyber-world”—a widely used but wretched phrase, if ever there was
one. Here are some sample cyber underwriting questions.  How should a policy
be designed that is to cover warranties on the design and manufacture of
digital systems? How should that kind of product liability be conceived for
liability insurance?  How should storm
damage be insured, if at all, when it comes to various categories of cyber stuff?
How should the new categories be conceived, written, priced, advertised, and so
on? What about insurance for ransom demands pertaining network-napped systems?
Or for cyber extortion? What about hacking by employees? Or negligent losses by
employees of actual computers and thereby their “innards,” as it were?  Or illegitimate use of computer systems by
employees whose uses accidentally create a hack-portal? And so on “forever.

Some of it is a bit more theoretical,
not to mention philosophical and prophetic. 
Some might think that the higher levels of what I am suggesting is
nothing but intuitive, and a few might wish to characterize it as
speculation. 

In addition, although virtually all levels of underwriting use “underwriting-centric software, the complexity of that material is directly proportional to the level of the underwriting function. Still, as of a year or so ago, specifically for it and it alone.  Some underwriting groups simply designed or customized  and used their own. This situation has made integrated communications difficult when different types of data are involved.  The same difficulty applies when underwriters reach out for risk information, and the more intricate the more difficult. This kind of complexity and creativity is not the topic of this blog-essay, however, nothing more will be said about it. See, Gail McGriffin (at Ernst & Young), Underwriting Technologies Matures: The Birth and Rise. (www.insurancetech.com)

The “cyber world,” if that is what one
wishes to call it, is a “new world,” and so insurance and therefore insurers
and therefore underwriting must adapt and be transformed to grasp and handle its
wakes and probable (even possible) future causes of further wakes.  Given the still existing alien nature of the
so-called cyber-world, it is no wonder that an acceptable characterization of
insurance underwriting in this rapidly changing environment. 

That “world,” or that part of our world,
feeds underwriting all sorts of problems arising from all sorts of inescapable and
uncontrollable “quickeries”—birth (new product, new policies), hi-tech development
(and so new parts or new twists in policies), a spread in cyber-ness,
cyberality, cyber-centrality, in addition more and more insurance transformations
needed for the next round of cyber changes, all coming at an exponential
rate.  In addition, all of this is taking
place in the vortex (or vortices) of  what can best be called “stormy socio-politico-economic
surroundings.”

Where is all this information to come
from” The understandable  literature?
Advisory consulting groups? Research groups? Risk management companies? Large firm intermediaries (aka agents and/or brokers), e.g., Aon, Marsh, Lockton, etc.? Some of
all this is to be found in reported legal decisions which are difficult for the
many to understand but partly on the basis of which, underwriting decisions
must be made.  

It is no wonder that the underwriting
world feels (metaphorically speaking)  grabbed, shaken, whipped, and nearly strangled
by the collected components  its new-ish, still
strange and very alien environment. As learned and reliable insurance underwriting
has entering and is coming of age in so-called “cyber space,–really just
another name for “cyber-world”– it had and still has no consistent, reliable
and universalistic methodology for collecting, systematizing,  blending, analyzing and using it to make
unquestionably reasonable reliable linguistic, semantic, structural, sales and
distribution decisions.  Underwriting is
afflicted by the disorder of  untrustworthy epistemology: no reliable
history, no rock solid actuarial foundations, only fragmentary and questionable
statistics, and the curse of having to use the language of “yesteryear” in our
whole new world. (A world in which most people are still stumbling around.)

Think about changes in underwriting when
commercial sailing vessels powered by wind changed to wheel driven ships
powered by burning wood, wood and then moved along by metal propellers powered
by diesel.  Significantly, all of this
happened relatively slowly. Keep in mind that wind driven ships and insurance
lasted together, albeit sporadically for well over 1000 years. Paddle wheelers
stayed around for more than 100 years and were never really ocean-going. And
ships metal based in part have been with us for well more than 100 years. 

Insurance underwriting has been
confronted with new problems slowly. 
Even now it is confronting a new realm as cyber technology as
transformed maritime transportation and therefore maritime insurance.  (The May 12, 2014 issue of BUSINESS INSURANCE
contains several articles on exactly this matter.  The central one is entitled Marine Sector Struggles with Cyber Risks.)

Hull insurance in contemporary
commercial aviation has a set of cyber problems, even though the industry is
younger—probably around a 100 years or so—and involves different equipment
(obviously enough) and probably a more complex financial system, at least
because there are 1000s more separate flights every day than there are journeys
on the high seas, large lakes, deep rivers, and canals.  No doubt the complexity of the cyber
equipment is more complex on airplanes than on even the largest ships, given
the speed at this the insured entities are traveling and where they are in
relation to the surface of the earth.  Commercial
jets are a jungle of enormously high speed cyber systems. For discussions of
the insurance niche when it comes to commercial aviation, see Peter Greenberg, The Big Money Surprise About MH370, 169.7
FORTUNE 11-14 (May 19, 2014). [MH37 is the Malaysia Airline jet that was lost
in the Spring of 2014.)  (This article
points out how fast hull insurance, as opposed to personal injury claims, including
death claim,  is paid and how many
insurers may be involved in insuring on hull, e.g., one for some “ordinary
physical destruction” and one for terrorist caused destruction.  Greenberg does not discuss reinsurance and
its levels. Nor does he draw a distinction between total and partial
destruction, and he says nothing about cyber complications. No doubt the cyber
category creates a whole new set of problems

At a more big picture, indeed, grand,
level, think about the industrial revolution and its aftermath.  Property insurance began to come of age
slowly in the Eighteenth Century starting with the spread, as it were, of fire
insurance, that started in “dribs and drabs” in the previous century, and then
very slowly expanding out from there. It has now been called the “First
Industrial Revolution  It came about in a
mere couple of hundred years, or—maybe—a little less. Then we had a “Second
Industrial Revolution”; it has lasted around 150 years

That seems fact to those of us that
studied economic history in university, but it is nothing compared to
what we are talking about as hi-tech history up to know and on into the
further.   See Erik Brynjolfson &
Andrew McAfee, THE SECOND MACHINE AGE: WORK, PROGRESS, AND PROSPERITY IN A TIME
OF BRILLIANT TECHNOLOGIES (2011).  The
see this as a “Third Industrial Revolution” but mostly call it the “Second
Machine Age”; they do this in order to emphasize that its essence is to produce
knowledge of a new kind and at a different rate.

While all of these observations and
speculations are true, two important relatively unrelated points should be
made. Senior level underwriters are faced a truly breath taking array of pressing
and significant problems, even outside the so-called cyber-world.  I say “outside” because elements of the cyber
world now permeate the so-called real-world. 

Consider for example the following.  At first it seemed to many that cyber
policies would cover both “far off” cyber entities and the “close in” already
familiar entities.  Material (or physical
objects) were the paradigm. But the mixture of categories did not work well for
a variety of reasons.  As a result
insurer began trying not to pay for things like software when it was
damaged.  Sometimes they succeeded, sometimes
not. After a while, they began to construct new exclusions, and they have
worked: most cyber entities got excluded. 
Thereafter, some insurers began to exclude in so-called real-world
policies—like CGL derivatives–all coverage for event having principal causal
bases in so-called cyber-space. That has worked too.   The trouble was an is that there had to be
policies that mixed the so-called different worlds together.  No easy task. 
It will get harder.  How should robotic
devices be insured?  All sorts of things
can happen to them.  They could wreak all
sorts of havoc, whether at directions from some human or some other robot or by
some defect inside itself—whatever “inside” might mean.

The overall pressure an underwriters is
immense. As I contemplate their burden I am put in mind of the famous Munch
painting(s)—the one(s) on a bridge and other than the “Madonna.” In my view the
frontline underwriters should not only be lauded, they should be regarded as
something like heroes of a commercial and insurance revolution.  (When I say “insurance revolution,” I am not
suggesting that fundamental principles will change; the “Principle of Fortuity”
will not change but a great deal that surrounds it will.)

Since this is the digital age, virtually
all of every underwriters work is paperless or nearly so. In addition, all underwriters work
together at some time and in some way. 
“Round Table” discussions are common now; groups that talk to each other
with different ideas plus civil and suggestive criticism is always a source of
improved thinking.

 Even today, they are almost always “vertical
to some extent.  This means that the less
experienced are sitting together with the more experienced and more
knowledgeable.  This organization,
however, must be, and usually is conceived as a sort seminar, as well as other
things, so that ideas can be exchanged and debated and  the less experienced and  knowledgeable 
can gain from the more so. Practical wisdom can sometimes be derived
from these sessions, whether they are regular (“Every Thursday morning at 7:30
both face to face and on Skype [or its progeny].”), instantaneous (“Good God.
We all need to talk about this.  Get it
set up right quick.”) or irregularly as needed.  How vertical practice will work in the cyber
world is not yet clear.  One must be
inclined to think that at some level of cyber-techno-learning, and further
development of education, etc., plenty of such help will be integral for years
to come, especially given the speed of innovative development. 

Now let’s take a look at the four
levels.  As the paragraphs go along the
reader should keep in mind how changes in underwriting will function, how the
relationships between underwriting and adjusting will work, and how the setting
of reserves can be done when insurers are awash with rapidly moving tech
innovations.

            The function of Everyday
Underwriters is to review routine applications, look for problems in them, seek
to correct the problems, accept or reject applications, handle pricing within
certain specifications, add some standard form endorsements, instructions for
issuing digital dec sheets, deal with intermediaries on routine matters, for
example, answering some relatively uncontroversial questions, dealing with adjusters
asking questions (for example, when one of them asks a question about the
company’s reading of the policy), have work reviewed, handle some audits of other
everyday underwriters, very seldom answer outside lawyers’ questions, even more
seldom attend deposition, quite rarely be deposed as to what s/he has done, and
perhaps rarest of all, be deposed as a 30(b)(6) type witness. And, of course,
there are other activities as well.

 How routine this type of underwriter’s work is
depends upon his/her level of experience, accomplishment, intuitions,
articulateness, and so forth.  As already
indicated, there is a range of activities this type of person performs. 


As a general rule, intermediaries do not play a significant role in underwriting at this level, except to be a purchasing agent. Usually they are independent contractors, and that is the way insurers want to look at them. It may be difficult to convince others of that view if the agency has the same name as the insurer, at least roughly speaking.  Consider an agency named “State Farm.”
            Mid-level underwriters do much of the
same sort of thing, but for more complex policies. They have more authority to
add, subtract and alter endorsements. They also supervise Routine Underwriters
(and lower level “Midlevels”), provide advice, conduct
Roundtable Discussion
Meetings, and report. They are managers, internal consultants, representatives from appropriate intermediaries, insurance thinkers,
etc.  The size of policies with respect
to which they have substantial authority may be quite large, and their size is
likely to grow over time. 

Their involvement in litigation is
higher than the Everyday Underwriter and quite often larger than that of the
underwriter of even the Creative Level. 
At the same time it is true that in some litigated cases, the insured
seeks to exclude underwriting files from discovery, and they often succeed
except in quite large cases. All underwriters are “isolated” and “protected”
from policy holders, third parties, and the general public.  The closest to the public is underwriter
education conferences, at least as a general rule. At the same time, it is
worth notice that some large underwriting operation have members that more or
less specialized in litigation involvement—as 31(b)(6) witnesses—and otherwise.

Creative underwriting is quite different
from the other two, and even separated from them, in many areas of
responsibility, except with respect to various kinds of leadership, teaching,
and  dialogue. Creative underwriters are,
to a considerable extent, designers of a great many things.  They too are thinkers—imaginative thinkers.

Often their work is done in groups, to some extent, some
of them internal to the company and some of them not.  Those outside the company can include
companies that design standardized policies, industry representatives, other
insurers, reinsurers, brokers, groups of brokers, various businesses of
professional associations, sometimes interested governmental agencies,
sometimes lawyers, and occasionally academics, often from B-schools.

Here are some examples of their topics;
it is incomplete: new policies, new parts of new policies, revisions of old
policies and old parts, principles for conducting sound underwriting at various
levels, the types of activities to cyber-insure and how, what perils to insure
and how, what types of persons in those areas to avoid insuring, what
preconditions to impose, what continuous acts, omissions to require or forbid
during the coverage period, and so forth.

Their creative thinking has become
especially exercised in even more comprehensive ways with the coming of the
early stages of e-insurance in the populous cyber-world. If it needs
insurance—and it does—it will fall to the Creative Underwriters to design the
policies the new era, participate in creating a corporate structure for dealing
with what has been designed.  Of course,
this creates ever closer relations with senior management of the insurer.

Naturally, Creative Underwriters are
connected—sometimes closely connected—with the finance side of the company,
regarding general conceptualizing of pricing and how to handle adjustments to
it and regarding how create, digitalize, and allocate reserves.  One of the most interesting things about
Creative Underwriting in the cyber age is how to determine the basis point for
various types of cyber-insurance when there is vastly insufficient actuarial
and other information usable to rationally and confidentially ordain a reasonable
starting point for large segments of cyber realms; this is not guess work for
this or that policy;[i]  it is a much larger group. 

All of the same points apply to
formulating principles for setting reserves. Of course, doing that is a
function of senior, experienced adjusters. 
But building its connection to pricing falls in part to the underwriting
department. Sometimes intermediaries can help.

Even trying to figure out how to think
about diverse sectors of the realm is guess work to a considerable extent.
Closely connected activities will be quite different with regards to
pricing.  Consider liability coverage for
network injury as opposed to privacy intrusions through networks.  Consider first-party coverage for extortion
versus “network-napping.”  Of course, the
list goes on and on and on.

Before proceeding further there is a paradox involve in some activities of more sophisticated and “deeper” underwriters.  Sometimes they like to conceive of themselves of not really having to understand the language of the policies they underwrite.  How they can think of themselves that way is beyond me.  One cannot decide whether to insure a prospective policyholder without understanding what the risks and perils are, what will be covered and what will not, as well as what kind of business the customer is in.  Some of this cannot be done without having beliefs about the contents of the policy, and one cannot have that knowledge without having reasonable ideas about what the language of the policy means.  One does not have to be right–though s/he usually will be. But one must have an semantic understanding, and it must be reasonable, if the underwriter’s job is to be well done.  It is also impossible to price policies in reasonable ways without some probable understanding of what’s in the policy.
I have seen a particularly striking case of this paradox in testimony.  Consider testimony that goes like this: 
 Q. As an underwriter would you agree with me that the terms of the policy control what is and what  is not covered. 
A. Yes, of course, although even if something is covered under the insuring agreement it may be   “taken out,” so to speak, by an exclusion. 
Given the underwriters answer, it is impossible for him to know what is covered and what is not. If s/he doesn’t know this, what is he actually doing. I wonder if the witness knows what a “sinecure”is. 
There are other errors than can, as they say, pile-on when there are mistakes like this.  For example, one of the things underwriters do is to “write” the policies.  This activity may be actually writing them, writing part of them, putting them together, selectively picking them selectively off shelves, adding specialized endorsements to standard language (say, where there are multiple endorsements to be had), or review (and therefore to some extent editing them) what someone else has actually “written.”  The broker (or intermediary) may be the “actual” writing entity.  In all of these circumstances the underwriter must understand the language of the policy to a reasonable extent and face up to the fact that s/he may makes mistakes, hopefully reasonable ones.
It’s easy to understand what is worrying the underwriters when they testify on the contents of policies.  They are trying to avoid getting the insurer stuck with the wrong meanings in the contract and maybe be guilty of insurer bad faith.  But the alternative is even more devastating.  Contracts are entities essentially involving language and if a party claims not to have a clue as to what the contract terms might mean, they look like incompetent business entities.  The maxim “Policies holders are expected to know what is within their policies,” applies to insurers; “Insurers are required to know what is within their policies.” This requirement is not restricted claims adjusters.  Indeed, an adjuster’s seeking meaning is one reason s/he might visit with an underwriter. 

It must be conceded that large policies
covering enormous groups involve quite different  amounts of information, the handling of it,
storage of it, help writing up use manuals, or the supervision of their
preparation and alterations, and (last here but never ever least) policy
pricing. The same three parts continue to exist, but the responsibilities start
higher, are more complex at virtually all levels, and require more massive
negotiation strategies, if not exactly goals. 
Some health coverages, some municipal coverages, and some large group
coverage like professional coverages, e.g., coverage for physicians and perhaps
cyber-“architects” may be like that.

Other
levels of insurance may often be involved in underwriting thinking. In theory,
the three parts of underwriters apply to underwriting at the first level
reinsurance and (climbing up the ladder) to retrocession reinsurance, a species
of the first “re,” as well.  Granted,  the three parts of underwriting apply to the
two, only at a distance, conceptually speaking. 
There are at least two reasons for this fact.  One of them is that the some of the underwriting
work amongst both types of reinsures is derivative upon the underwriting of the
primary carriers.  Another is the
existence of the “follow the form” and/or the “follow the settlement” clauses
found in contracts of reinsurance.  A
third is that reinsurers do not usually have the large underwriting staffs of
big-time primary, and excess, carriers. (See Reinsurer Interest in Cyber Products, THE BETTERLEY REPORT BLOG
ON SPECIALITY
INSURANCE PRODUCTS (May 13, 2013) (providing mention of the Reinsurance
Association of America on  May 21 2013.  There is a video attached.  For a discussion of RAA, see Cynthia Lamar
and Bradley L. Kading, An Introduction to
the Reinsurance Association of America,
REINSURANCE NEWS 17-22 (August
2004). Mangan and Harrison’s ADVANCED UNDERWRITING TECHNIQUES’ Chapter 1 is entitled “Reinsurance.”
One interesting feature of
cyber-policies, which can make the underwriting simpler,  is that, while the really interesting
features of these policies, is their peculiarly cyber content, some of the
policies cover some ordinarily business risk problems, both internal and external.
None of them cover all of them. Early in this blog, there was reference to
aviation hull insurance. Other cyber policies—most of them–exclude all such
coverages and thereby encourage insureds to look elsewhere for that kind of
coverage, e.g., those covering real-world business organization problems. This
too was discussed earlier in this blog.

Obviously, there are some business
organizations that now prefer to have them integrated.  That small visage of the primitive policies will
die completely out shortly, I conjecture, at least for larger commercial
entities, since it does not really help with risk management to integrate the
two into a single document, even if one of the areas is placed in an
endorsement.  It’s simply harder to read,
and there is too much danger of what might be called “hostile interpretative
diversity.”

One last portrait.  At least liability insurance policies can be divided into two claims categories.  In one of them covered events must occur during the policy period, whereas in the other it can occur outside the policy period.  Usually both types of policies fit together perfectly: auto crashes are like that.  They happen on Day#1 and are reported that day or on Day#2, more or less.  Policies that cover some types of injuries like asbestos bodily injury might be quite different: exposure to the injuring an covered peril  on Days ##1-300 but manifestation of the injury (or something like it) not until Day #6014. 
In contrast there are claims-made-policies, and they require at least that the injury from the covered peril be reported to the insurer during its policy period, and they often require both the cause of the injury and the injury itself to occur during the same policy period. (There are variation on this pattern where reports can come later, legal malpractice policies being one of them.)

Naturally, insurers prefer claims-made-policies to exposure-policies aka occurrence policies.  Some years ago the industry tried to switch everything over to the system it preferred, the claim-made system.  There was a public outcry, coming mostly through insurance regulators.  Now, all the cyber policies of which I am aware are claims-made-policies. All of them also have variations virtually all of which can be added by endorsement, e.g., damaging event might happen a bit before the policy period and/or claim might be made slightly after the policy period.  Determining how to handle these options and what to charge for them is a real underwriting headache in the world of cyber underwriting.  
Now we come to what might be a nightmare when it comes.  Sooner or later customers for cyber liability insurance will be asking for or demanding what I have been calling “exposure-policies.”  There will be some real pressure on lots of insurers to begin using that form. The industry will resist.  Some insurers might capitulate for the sake of premium dollars.  Now. . ., that is an underwriting nightmare.
Not much has been said about Managerial Underwriting. Obviously, it will have to do with reinsurance at its various levels, ratemaking, Again see Mangan & Connor, ADVANCED UNDERWRITING TECHNIQUES, Chapter 2 and will overlap Creative Underwriting at various levels, most significantly designing underwriting policies, meaning not just this the policies themselves but policies of the insurance company as to property underwriting procedures. Id. at Chapter 4.  At Managerial Underwriting goes higher in the “chain of command” the more it will become a kind of financial underwriting, and by this I do not mean insuring financial entities–that is done below–I mean the use of financial techniques and idea in designing underwriting function/department policies. Id. at Chapter 3. 
Financial underwriting has at least two levels.  The lower one is the organization and use of data–a cyber activity these days–thinking about different types of data, grasping how statistic and probability work, and so forth.  A yet more advance level is understanding and/or working with the connection between contemporary insurance thinking and recent innovations in financial theory.  
The financial dimension of underwriting if a changing field. Traditionally, it has been viewed as a determinate of actuarial success, experience, professional intuition,  and good luck. Currently there are those who argue that insurance underwriting should be received as a financial activity. Eric Briys and Francois de Varenne, argued in their book INSURANCE FROM UNDERWRITING TO DERIVATIVES (Wiley 2001) that “[t]he contribution of financial economics to property-casualty insurance pricing is highly valuable. Indeed, it helps to push the traditional   actuarial  approach toward a more focused market orientation, and this is especially timely given the current emphasis on the convergence of of capital markets and insurance markets.” (p. 27). 
For example, Briys and Varenne  claim that  “the insurance policy is the functional equivalent of a put option.” (p. 25). And they further claim that their new work of what I have called “managerial underwriting” natural event are being secularized and then being placed with investors in the form of derivative securities or structured notes.”  (p. 31). Indeed, they say, “[t]he Chicago Board of Trade has launched several derivative contracts in which insurance risks are the underlying assets.” (Id., et passim.)* 
In theory, at least, cyber insurance is an ideal place to develop this transformation.  For one thing, there is no serious basis, much less, experience or tradition, of sound actuarial reasoning. For another, we have whole nearly new fields of insurance and therefore insurance underwriting. What a good place to start anew with conceptualizing and applies new ideas, dispensing new knowledge and forms of reasoning. For a general and less technical of the general ideas expounded by Briys and de Varenne, see their THE FISHERMAN AND THE RINOCEROS[: How International Finance Shapes Everyday Life] (1999).
*(If course, one cannot help but wonder how thinking has developed among sophisticated and finance savvy high-level underwriters following the 2008 financial disaster and the role of the derivatives in it. 

It should be kept in mind, that some blogs are drafts of what may (or may not) become larger, different written work.  They are designed to be just that: drafts, with room for improvementThere are also cyber-typing-tech problems here and there, e.g., I can’t always get lines to indent, as is illustrated in this very blog.



Originally posted on 06/24/2014 @ 8:00 pm

Michael Sean Quinn, PhD, JD, CPCU, Etc

Michael Sean Quinn, PhD, JD, CPCU, Etc. (530)

One of Texas's leading insurance scholars, Michael Sean Quinn is a past chair of the Insurance Section of the State Bar of Texas and has a broad legal practice.

Hits: 0