Follow ACC Docket Online:  

4 Ways to Improve Your Rating Factors for E&O and Cybersecurity Insurance

Litigation Column
I nsurance shields you against risk. Errors and Omissions (E&O) and cybersecurity insurance can cover costs of major breach incidents so that you don't have to pay everything out of pocket. It is an important tool to deal with the costs of breach regulation, litigation claims, and remediation needs.

The analysis required to obtain E&O and cybersecurity insurance provides a roadmap for the active management of a privacy and security program and answers any pressing questions. For example, how is risk quantified from an insurance carrier's perspective? What can be done to minimize risk, and therefore, insurance premiums?

Mike Hennessey, a tech insurance broker from ABD Insurance and Financial Services, summarizes the basics of E&O and cybersecurity insurance in the following Q&A. He highlights the importance of managing your data retention and instituting security, privacy, and employee controls to effectively safeguard your company's data.

ACC: What you refer to as E&O and cyber liability insurance, I tend to think about as cybersecurity insurance. Can you explain the terminology and why it matters?

Mike Hennessy: The language of the insurance industry develops over time, so people may refer to the same coverage using different labels. Generally, E&O, or professional liability, refers to coverage that provides protection when a company provides services or technology to clients. If there is a failure or error that causes a financial loss, then this type of coverage is what responds to the situation. Cyber liability generally refers to coverage related to privacy and data breaches. It relates to claims brought against a company related to the loss, theft, or disclosure of confidential information. In most instances, companies that have both these exposures can obtain coverage with a single policy form.

ACC: What factors determine how high an E&O and cyber liability insurance premium will be?

Hennessey: Insurance rating factors are context specific, relating to your business and an insurance carrier's rating model. However, there are some dominant factors used across the industry. These are the dominant rating factors for E&O and cyber liability insurance, as well as sample questions an insurance carrier will ask about them:

Cybersecurity insurance

The following four factors will set the premium bar at a certain level for the rating models of most insurance carriers. Beyond these, other components may move your premium from around zero to 30 percent.

1.  Minimize the amount of data you manage

ACC: If you clear out or take other steps to minimize the number of records you manage (i.e., unused old accounts), will you decrease an insurance premium?

Hennessey: Yes. Obviously, there isn't a breach risk associated with data that you aren't storing and securing. You can also clear unnecessary data by reviewing what types of data fields you keep in each account and eliminating any data-types that constitute PII with no business case for retention.

ACC: I suspect most businesses have a set business plan and system architecture that requires a certain level of PII data retention, so there may not be much flexibility to eliminate all sensitive data fields of an account.  How can a business ensure they're being responsible with data retention?

Hennessey: Data retention relates to the most dominant factors that will determine your risk and insurance premium, so it is prudent to do a full review. And remember, when assessing what data you manage, you must also include data held by vendors and third-parties you work with.

2. Enhance security controls

ACC: What can we learn from the other factors that a typical insurance carrier considers?

Hennessey: Carriers want to know that a customer is aware of various regulatory frameworks and the latest certifications in your industry as they change over time. This means your IT department and CISO will be implementing typical security controls, such as encryption, regular patching, and written comprehensive security policies and procedures. Third-party verified certifications such as SOC2 and ISO 27001 speak to insurance carriers about the strength of your security controls.

Carriers also want to know that senior board members are aware and paying attention to cybersecurity at the company. Luckily, we find this is the case for most medium and larger companies today.

3. Strengthen privacy and employee controls

ACC: What other factors are important?

Hennessey: Typically, insurance carriers also care about the following:

  • Privacy controls and procedures. Carriers want to know that access to confidential data is restricted to and defined by an individual's role at the company. If he or she does not have a need to access the data, then they are not able to.
  • Employee controls and procedures. Regular and consistent training and testing of employees with regards to privacy safeguards and procedures is critical. This includes testing around threats like phishing. They also want to know that you have procedures for taking employees off the system quickly when they leave employment.
  • E&O in general. Employees should be trained and have the proper education to perform the services they provide and escalate problems through proper channels when needed.

You decrease risk by enhancing your program around such controls.

4. Manage contractual risk and other factors

ACC: In addition to those controls, will carriers ask about customer contracts as well? Why?

Hennessey: Your contract language and procedures matter. Your potential liability for an E&O or cybersecurity event flows directly from your contractual obligations. Thus, carriers consider you to have more risk if your agreements do not cap liability or disclaim indirect, consequential damages, or effectively limit your obligation to remediate following an event. They'll ask whether you have effective procedures that provide oversight to prevent broad indemnifications and uncapped liability from entering into your contracts.

ACC: Is there anything else businesses should consider?

Hennessey: Additional factors include:
  • Media content controls/procedures. For media content, the main issue carriers care about is that you have a process to properly review materials or advertising that is disseminated publicly, which verifies that you have the rights to use it and that you are not infringing on others' rights.
  • History of prior claims and legal proceedings. Carriers and underwriters for the carriers want to understand when things have gone wrong and resulted in claims, what lessons have been learned, and what changes were implemented in your procedures, policies, and controls to help prevent that situation from reoccurring.

ACC: My team takes great pride in our program and believes we go above average to secure the data we hold and design solutions that address privacy and security risks. How can we and other businesses benefit from meeting and exceeding security standards?

Hennessey: This is where I add value to the process. An insurance broker can help present the information that the insurance underwriters want to see in the best possible light in order to obtain the best terms possible.
In addition, we work with the same underwriters for thousands of companies, so we leverage our relationship on an insured's behalf. We know the policy forms forwards and backwards, and what areas can be negotiated and endorsed to the insured's benefit. Also, we help tailor the coverage to what a particular company's exposures may be from a service or data exposure perspective.

If you are involved in mitigating the financial impact of a breach, I recommend that you talk to your own insurance broker. In addition to the basic information outlined above, they will be able to help identify which next steps will provide you with the most value for decreasing your risk and insurance premiums.

About the Authors

Noah WebsterNoah Webster is general counsel and secretary for Zix. He writes regularly for the Litigation Column of ACCDocket.com.

Mike-HennesseyMichael Hennessey is a commercial insurance broker with ABD Insurance & Financial Services. Based in Silicon Valley, he focuses on mitigating and transferring corporate risk via nuanced insurance contracts for organizations creating and supporting emerging technologies, such as SaaS platforms, BioPharma, robotics, and digital currency.


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.