*This is the second post in a five-part series on cyber insurance, culminating in a webinar titled “Insurance Coverage for Privacy and Data Breaches, Hot Topics and Critical Issues” on Wednesday, April 22, 2015, at 12:00-1:00 p.m. Eastern.
When we talk with CEOs and CFOs about buying cyber insurance, we often hear them say, “I’ll just rely on my agent for the best policy at the lowest cost.” While you may have a fantastic and very knowledgeable agent, there are a couple of reasons why you shouldn’t just rely on your agent when deciding what type of cyber insurance policy to buy.
First, some background. The cyber insurance market has exploded. Cyber insurance accounted for approximately $600 million in premiums in 2010, and over $2.4 billion in premiums in 2014. Approximately 90% of the premiums represent policies purchased in the United States. Some Lloyds of London members believe the cyber insurance market will grow to approximately $85 billion or more in worldwide annual premiums.
There are approximately 50 insurance companies currently offering cyber insurance policies. These policies are not standardized, like you would see when you purchase a commercial general liability insurance policy (everyone selling the same policy at a slightly different cost). The policies have different terms and conditions, different benefit limits under different coverage categories, and sometimes widely different costs.
Because the market for cyber insurance has grown so quickly, many insurance companies lacked an adequate amount of quality information to properly assess the risks of loss and the amount of damages resulting from data breaches. Some insurers accordingly did not adequately price the insurance coverages they sold. Additionally, the number of data breaches has increased at a much faster pace than was expected. As a result, there is a perception that some insurers are trying to control their losses by taking more aggressive litigation positions.
So why can’t you just rely on your agent when deciding which cyber policy to purchase?
First, your agent may not know how courts are interpreting the terms and conditions of the cyber insurance policies they are selling, or the litigation postures taken by the insurance companies. Insurance policies are interpreted under the governing state law. Some states interpret insurance policies more favorably to policyholders than other states. Here is an example:
An insurance policy states that it will defend the insured from “suits” to which the insurance applies. Some states interpret “suits” to only mean lawsuits, while other states interpret “suits” more broadly to include requests for information and other demands from a regulatory agency when coupled with a specific allegation of liability. See Hartford Acc. & Indem. Co. v. Dana Corp., 690 N.E.2d 285, 290 (Ind. Ct. App. 1997) (U.S. EPA § 104 request for information coupled with a specific allegation of liability … are “suits,” triggering [an insurance company’s] duty to defend.”). Following a data breach, many states require that the State Attorney General or certain agencies be notified. Unless your cyber insurance policy contains broad coverage for notification to comply with state laws, you might not be entitled to a defense until a lawsuit is filed against you or for this notification obligation. Other examples will be discussed during the upcoming webinar.
Your agent may also not be familiar with the litigation posture and strategies taken by the insurance companies to determine which have been the most litigious. At the end of the day, you want to be confident in your coverage benefits and not just have a right to file a lawsuit to fight for coverage.
Second, you may not be able to recover any loss resulting from a gap in coverage against your insurance agent. Some people think that if they rely on their insurance agent to purchase the best policy at the lowest cost and if there is a gap in coverage, that they can turn around and recover any losses or damages resulting from the gap in a malpractice lawsuit against their insurance agent. Often, that is not the case.
States generally follow one of two approaches. A minority of states treat insurance agents as mere order takers with no duty beyond procuring the specific coverage selected by the policyholder. (New York follows this approach.) A majority of states, however, impose a heightened standard of reasonable and ordinary care on agents, similar to the standard imposed for professional malpractice claims. (Illinois follows this approach, and imposes a heightened standard of care on agents.) Some states that fall into the group that follows the mere order-taker approach will, however, impose a heightened standard of care on agents where there is evidence that the customer is relying on the agent’s expertise in procuring insurance. (Indiana and Ohio follow this approach.)
In Indiana, for instance, agent liability turns on a four-part test to identify whether a special relationship exists between the customer and agent to justify imposing a heightened duty on an agent, including whether the agent (1) exercised broad discretion to service the insured’s needs; (2) counsels the insured concerning specialized coverage; (3) holds oneself out as a highly-skilled insurance expert, coupled with the insured’s reliance upon the expertise; and (4) received compensation, about the customary premium paid, for the expert advice provided. See Indiana Restorative Dentistry, P.C. v. Laven Ins. Agency, Inc., No. 49S05-1407-PL-491, 2015 WL 1087199, at *3-4 (Ind. Mar. 12, 2015) (finding that absent a special relationship, an insurance agent is under no obligation to advise an insured about the adequacy of coverage.) That being said, however, the Indiana Court of Appeals noted that in over thirty years, there is only one “Indiana decision to find a special relationship between an insurance agent and an insured as a matter of law. And, only one appellate court decision has found a material question of fact on the issue. All other decisions have found no duty to advise as a matter of law because the parties’ relationship was a typical agent-insurance relationship.” Id. at *5.
Ohio law takes a similar approach. In rejecting a policyholder’s claims against an agent, the Ohio Court of Appeals recently stated that such a relationship is “nothing more than an ordinary business relationship between an insurance agent and client,” that the insured “was in the best position to know how much coverage it needed,” and was at fault for the coverage gap because it “failed to read the policy and make the relevant inquiries.” See Priore v. State Farm Fire & Cas. Co., No. 99692, 2014 WL 811776, at *9 (Ohio Ct. App. Feb. 27, 2014) (reasoning that although an insurance agent has a duty to exercise good faith and reasonable diligence in obtaining the insurance an insured requests, the insured is in the best position to know how much and what kind of coverage is needed and therefore must provide the agent with adequate information to allow the agent to provide appropriate coverage and/or advice.)
Likewise, while the Illinois Supreme Court recently held that an insurance agent has a statutory duty to exercise ordinary care and skill after a specific request is made, an insurance agent has no statutory duty “to obtain the best possible coverage for a customer” or to respond to “a vague request to make sure the insured is covered.” Skaperdas v. Country Cas. Ins. Co., No. 117021, 2015 IL 117021, *8 (Ill. S. Ct. March 19, 2015) (determining that under statute, an insurance agent is required to exercise ordinary care and provide desirable coverage once an insured has asked for said coverage.) So you shouldn’t assume that you can pass on any uncovered loss resulting from a coverage gap to your agent.
In summary, “buyer beware” remains the best advice. Work with your agent to come up with a few best choices of cyber insurance policies. Then, work with a lawyer familiar with how courts have interpreted those policies and with your agent to negotiate key terms and conditions that best fit your needs. And, read your policy, ask questions, and whenever possible obtain answers to your questions in writing to show what the policy was intended to cover.
Look for our next post: “Cyber Insurance: What do Cyber Insurance Policies Cover and Cost?”