Quinn's Commentaries on Insurance Law: June 2014

Tuesday, June 24, 2014

Part II. Some Substantive Contents of Cyber Policies

Some Substantive Contents of Cyber Policies

Michael Sean Quinn, Ph.D, J.D., Etc.

2630 Exposition Blvd #115

Austin, Texas 78703

(o) 512-296-2594

mquinn@msqlaw.com

Some General Propositions.

There are very few industry-wide standardized cyber policies of any cyber species, but there are single-company uniformities in some policies. This lack of the generalized use of standardized policies is true even though insurers read specimens of each others’ policies, and have joint insurer committees discussing standardization, among many other topics.

Insurance companies have been forever conservative about moving into new topical areas. It took hundreds of years to move from coverage for protecting merchants from bandits while crossing the desert to creating primitive maritime insurance. (The maritime portion of this type of insurance was called “bottomry.”) Widely used maritime insurance, as we know it, took more than a 1000+ years to develop, then came commercial fire insurance a mere 250-300 years later. In there somewhere was burial insurance for soldiers, which more or less died out; guild insurance on various perils, some of which pretty much lived into the 20^th century, if labor unions are the progeny of guilds, and there are other components of this grand commercial evolution.

General organizational features of cyber policies have already been set forth. In the cyber-world, some insuring agreements, some definitions, and some exclusions are quite unique. Nevertheless, cyber liability policies have thematic similarities. First, a generalized list for substantive components of first party policies will be discussed presently. After that, such a list will be presented for liability policies. Some policies are liability policies only, others are first-party policies only. Some policies may contain all the covered categories on the lists, a few of them have less than that, and some policies may have only one.

Most cyber policies are package policies. This means that there is more than one form of coverage, and the insured can pick parts of them. This is not just a distinction between first-party coverage and third-party coverage. There may be, say 10 different liability coverages, and a customer—and insured-to be—can often pick any one or more of them. (Sometimes the customer cannot pick just one and not at least one or more. Imagine this: if a “near to being an insured” pick Insuring Agreement #2 it must pick Insuring Agreement #6, as well.

Of course, (a) pure excess policies, though not umbrella policies, and (b) reinsurance policies, whether the first level of reinsurance, the “merely re,” or the next level up, the “retro re,” must work the same way, though for different reasons. For excess policies, the insured under the primary policy is the insured under the excess and the umbrella. Thus, one would expect that excess policies would match up with primary policies, and that umbrella policies would also, to the extent they are not really primary policies. And one would expect that that a reinsurance policy would match up with the policy being reinsured—at least for the most part. Neither of these expectations need be perfectly descriptive; the unexpected “non-match-up” can happen and be planed, agreed to, and rational.

Some Structural Categories for First-Party Policies

These sorts of policies are designed to help the insured to deal financially with covered events that unfortunately happen to it and cause losses. The nature of the potentially unfortunate event is throughout insurance called “the risk,” and—throughout insurance—it is also called “the peril.”

I find this common usage confusing. Guess what. The cause of my confusion is the imperfect—indeed, inconsistent—pattern of usage. Someone might think the way it should be done is this: a peril is a category of event, e.g., storms, for which there is coverage, while the risk is a concrete event of the sort which is a peril, i.e., the storm that occurred, where that event fits within the insuring agreement, but still may fit into exclusion. The trouble is that this suggestion does not correspond to common though confused usage, and it does not set aside a term for the relationships between the potentially injury causing event, the risk, and the probability that the insured will sustain damages, i.e., its risk. And, of course, yet another distinction would have to be drawn. On the one hand, the insured has risks arising from simply what it does and where it is done. If an insured operates a fishing boat in the Gulf, it (i) faces the risk of storm; (ii) if there is a storm, and the insured is in it, the insured faces the risk of destruction; (iii) and if the storm destroys the boat, the insured faces the risk of going out of business. There are three related but different risks here: (i) event risk, (ii) cause of damage risk, (iii) risk of loss. (Oh well. Conceptual life goes on. Besides, there may be ways to integrate the vocabularies to avoid the semantic tangles. Thus instead of there being peril; there might be categories of risks.

In any case, here are categories of risks that can be covered, unfortunate events that can be caused by these perils:

v nature (actually a meta-category, or a peril-set, but never mind,

v foul ups of the policyholder (including both negligence and some deliberate acts[i] of the insured),

v those of another insured on the policy,

v the policyholder’s employees

v one or more known or unknown outsiders,

v either by their foul up(s) conjoined policyholder’s,

v the deliberate acts of the strangers and perhaps others, as well.

Of course, more or many more of these perils can participate in the same process and/or at the same time in creating the same risks or causing the same losses. In other words, causes of loss in the cyber world are just as combinatorial and therefore as many as in the real world.

Both insurers and insureds want to know the probability of any risk, though for somewhat different reasons. And then they want to know the probability that a risk, having occurred, will cause loss.

Here are some typical insurance agreements in first-party cyber policies (or parts of policies):

§ The network security of the insured is breached.

§ The privacy components of the insured are breached.

§ A regulatory proceeding is inflicted upon the insured.

§ The insurer in subject to an adverse media event, e.g., an insured is defamed.

§ The insured’s digital asserts are destroyed, damaged, or rendered unusable.

§ The business income of the insured is reduced..

§ The insured is subject to an extortion or X-napping.

§ The insureds’ system is subject to negligent care of some sort:

o Design

o Construction

o Maintenance

o Securitization,

o and so forth

The reader will note that many of the covered categories, though not all, turn up on both the first-party cyber policies and the third-party policies,

Of course, there is a whole variety of definitions. Some commonly used terms are defined: “Damages,” for example; “Claims” for another. Many of these terms and phrases are found in real world policies, though the definitions are most often different. Almost every term which is technical sounding and/or connected to something central in the cyber world is defined. The definitions are “stacked,” meaning that for many definitions that explicitly appear on the semantic surface of a policy, in the insuring agreement, for example—there is at least one definition used in it. And then for many of the second level definition, there is a third, and so on. Here are common examples of such terms: “Digital Assets” is like this, as is “Electronic Publishing” along with “Network Security,” and many others.

Some Corresponding Categories for Liability Policies

Here are some coverage categories for cyber liability policies. The insured’s liability rests upon performing “wrongful acts or omissions” (WAO [this abbreviation covering both the singular and the plural, as called for]) This whole category rests upon the definition of “wrongful act” and all of them are first-stage-triggers:

Ø WAO injuring the network of another by dispatching “malicious codes,” and similar “poisons.”

Ø WAO causing invasion(s) of privacy.

Ø WAO causing release of private information by another by taking, turning over, distributing, or setting up others to do so.

Ø WAO involving Internet media use.

Ø WAO of cyber professionals and/or vendors of cyber-services,

Ø Performance of any form of hacking, all of which are WAO’s, and/or

Ø Assisting another (or others) who actually do the hacking.

In any given policy, the definitions section and the exclusionary section are the same for both first-party coverage and third-party coverage. This is not unusual in package policies

A Few Elaborations.

There is more public concern and outrage regarding privacy invasions and thefts than any of the others. There is also more interest in these areas where liability insurance might be involved. Many of the urging one finds in the advertising literature emphasize this topic. It seems to me that sometimes the ads collapse together first-party concerns with privacy violations with third-party concerns. The idea that individuals might wish to buy special first-party insurance covering invasions of their own privacy coming from the cyber world is unheard of, as yet, so as I know.

Nevertheless, cyber-invasions of people and companies—actual inhabitants of the real, real-world are often categorized as “identity thefts,” and for good reason. Maybe a special first-party type coverage would be a good idea. Think of the marvelous subrogation cases it would generate.

Claims-Made Policies

Cyber policies are all “claims-made” policies, so far as I know. In general, this alone distinguishes the cyber policies from most other liability policies, which tend to be occurrence-based. In the latter, there can be covered injury that occurs during a policy period but which is not reported to or against the insurer by the alleged victim until after the policy period expires, sometimes a long time after; there may be coverage in such instances mostly dependent on the nature of the injury and other facts about what happened. (Think asbestos). This is not the way claims-made policies work. For them, the claim usually must occur during the policy period.

In spite of the above distinction, there are many phases of claims under both claims-made policies in the so-called real-world and in the co-called cyber-world. All of them contain the following concepts:

Event (allegedly) causing injury (the risk?),

The type category of which that event is a type (the peril?)

The injury or damage, sometimes called the “loss,”

The claim of alleged injury, and often a demand for compensation, made to the insured or its conduit, and against the insured (a communiqué of some sort, almost always written, but not always),

The notice by the insured to the insurer, often also called a “claim”—a claim or demand for coverage (Many insurers try to insist, prima facie, anyway, that the notice or claim come from the insured and it usually that it must be in writing, though not always.),

Adjustment, also often called a settlement process

Resolution or denial.

Some Substantive Contents of Cyber Policies

There are almost no industry-wide standardized cyber policies yet, but there are single-company uniformities in some policies. This lack of the generalized use of standardized policies is true even though insurers read specimens of each others’ policies, and have joint insurer committees discussing standardization, among many other topics.

Some general organizational features of cyber policies have already been mentioned. In the cyber-world, some insuring agreements, some definitions, and some exclusions are quite unique. Nevertheless, cyber liability policies have thematic similarities. First, a generalized list for substantive components of first party policies will be discussed presently. After that, such a list will be presented for liability policies. Some policies are liability policies only, others are first-party policies only. Some policies may contain all the covered categories on the lists, a few of them have less than that, and some policies may have only one.

Structural Categories for First-Party Policies

These sorts of policies are designed to help the insured to deal financially with covered events that unfortunately happen to it and cause losses. The nature of the unfortunate event is throughout insurance called “the risk.” These unfortunate events can be caused by

v nature,

v foul ups of the policyholder (including both negligence and some deliberate acts of the insured),

v those of another insured on the policy,

v the policyholder’s employees

v one or more known or unknown outsiders,

v either by their foul up(s) conjoined policyholder’s,

v the deliberate acts of the strangers and perhaps others, as well.

In other words, causes of loss in the cyber world are just as combinatorial and therefore as many as in the real world.

Both insurers and insureds want to know the probability of any risk, though for somewhat different reasons.

A type of risk that is insured will be called a “category of coverage” or some verbiage like that.

Here are some typical insurance agreements in first-party cyber policies (or parts of policies):

§ The network security of the insured is breached.

§ The privacy components of the insured are breached.

§ A regulatory proceeding is inflicted upon the insured.

§ The insurer in subject to an adverse media event, e.g., an insured is defamed.

§ The insured’s digital asserts are destroyed, damaged, or rendered unusable.

§ The business income of the insured is reduced..

§ The insured is subject to an extortion or X-napping.

§ The insureds’ system is subject to negligent care of some sort:

o Design

o Construction

o Maintenance

o Securitization,

o and so forth

The reader will note that many of the covered categories, though not all, turn up on both the first-party cyber policies and the third-party policies,

Corresponding Coverage Categories for Some Liability Policies

Here are some coverage categories for cyber liability policies. The insured’s liability rests upon performing “wrongful acts or omissions” (“WAO” [this abbreviation covering both the singular and the plural, as called for]) This whole category rests upon the definition of “wrongful act”; in any case, however, here are some examples:

Ø WAO injuring the network of another by dispatching “malicious codes,” and similar “poisons.”

Ø WAO causing invasion(s) of privacy.

Ø WAO causing release of private information by another by taking, turning over, distributing, or setting up others to do so.

Ø WAO involving Internet media use.

Ø WAO of cyber professionals and/or vendors of cyber-services,

Ø Performance of any form of hacking, all of which are WAO’s, and/or

Ø Assisting another (or others) who actually do the hacking.

[The reader should please keep in mind that Quinn Blogs are intended to be thought-stimulating [or, thought-provoking] tools only. The are not intended to be perfected essays. They are in-progress disquisitions only. They are not essays polished to completion. Maybe another time.]

UNDERWRITING & CYBER INSURANCE COMING OF AGE

UNDERWRITING & CYBER INSURANCE
COMING OF AGE

Michael Sean Quinn
1300 West Lynn Street
Suite 208
Austin, TX 78703
Phone: (512) 296-2594
Cell Phone: (512 656-0403
Facsimile: (512) 344-9466

All underwriting of individual policies, or very similar contracts, can be divided into four parts. The parts are stacked on top of each other. The parts are “Everyday Underwriting,” “Mid-level Underwriting,” and “Creative Underwriting”; each of these parts has its own internal range. Finally, at the very top, there is “Managerial Underwriting.” (These names will no longer be in quotes.) The educational literature contains nothing systematic on underwriting in the so-called "cyber-world," and little on it at all. In fact that literature is weak. See Joseph F. Mangan & Connor F. Harrison, UNDERWRITING PRINCIPLES (2nd Ed. 2000), Hank George, UNDERWRITING: WHAT EVERY PRODUCER MUST KNOW (2009), and Joseph F. Mangan and Connor Harrison, ADVANCED UNDERWRITING TECHNIQUES (2nd Ed. 2002).

Remember. An “individual policy” can cover a whole fleet of entities, whether trucks, boats, planes, or anything else. What’s in the fleet need not be even nearly identical, except to fall within a given category. Even planes which can also work as boats can fit three different fleets: planes, boats, and motor vehicles. It can fit into all three at once, and have different insurance for each separate function. Welcome to underwriting. (Also keep in mind that there is no such thing as insurance under-righting; this should not be different, since, in fact, there is now such thing at all.)

This essay is intended to outline how systems of underwriting departments are structured, and what problems this may have for insurers as they become more and more integrally active in the so-called “cyber-world”—a widely used but wretched phrase, if ever there was one. Here are some sample cyber underwriting questions. How should a policy be designed that is to cover warranties on the design and manufacture of digital systems? How should that kind of product liability be conceived for liability insurance? How should storm damage be insured, if at all, when it comes to various categories of cyber stuff? How should the new categories be conceived, written, priced, advertised, and so on? What about insurance for ransom demands pertaining network-napped systems? Or for cyber extortion? What about hacking by employees? Or negligent losses by employees of actual computers and thereby their “innards,” as it were? Or illegitimate use of computer systems by employees whose uses accidentally create a hack-portal? And so on “forever.

Some of it is a bit more theoretical, not to mention philosophical and prophetic. Some might think that the higher levels of what I am suggesting is nothing but intuitive, and a few might wish to characterize it as speculation.
In addition, although virtually all levels of underwriting use "underwriting-centric software, the complexity of that material is directly proportional to the level of the underwriting function. Still, as of a year or so ago, specifically for it and it alone. Some underwriting groups simply designed or customized and used their own. This situation has made integrated communications difficult when different types of data are involved. The same difficulty applies when underwriters reach out for risk information, and the more intricate the more difficult. This kind of complexity and creativity is not the topic of this blog-essay, however, nothing more will be said about it. See, Gail McGriffin (at Ernst & Young), Underwriting Technologies Matures: The Birth and Rise. (www.insurancetech.com)

The “cyber world,” if that is what one wishes to call it, is a “new world,” and so insurance and therefore insurers and therefore underwriting must adapt and be transformed to grasp and handle its wakes and probable (even possible) future causes of further wakes. Given the still existing alien nature of the so-called cyber-world, it is no wonder that an acceptable characterization of insurance underwriting in this rapidly changing environment.

That “world,” or that part of our world, feeds underwriting all sorts of problems arising from all sorts of inescapable and uncontrollable “quickeries”—birth (new product, new policies), hi-tech development (and so new parts or new twists in policies), a spread in cyber-ness, cyberality, cyber-centrality, in addition more and more insurance transformations needed for the next round of cyber changes, all coming at an exponential rate. In addition, all of this is taking place in the vortex (or vortices) of what can best be called “stormy socio-politico-economic surroundings.”

Where is all this information to come from” The understandable literature? Advisory consulting groups? Research groups? Risk management companies? Large firm intermediaries (aka agents and/or brokers), e.g., Aon, Marsh, Lockton, etc.? Some of all this is to be found in reported legal decisions which are difficult for the many to understand but partly on the basis of which, underwriting decisions must be made.

It is no wonder that the underwriting world feels (metaphorically speaking) grabbed, shaken, whipped, and nearly strangled by the collected components its new-ish, still strange and very alien environment. As learned and reliable insurance underwriting has entering and is coming of age in so-called “cyber space,--really just another name for “cyber-world”-- it had and still has no consistent, reliable and universalistic methodology for collecting, systematizing, blending, analyzing and using it to make unquestionably reasonable reliable linguistic, semantic, structural, sales and distribution decisions. Underwriting is afflicted by the disorder of untrustworthy epistemology: no reliable history, no rock solid actuarial foundations, only fragmentary and questionable statistics, and the curse of having to use the language of “yesteryear” in our whole new world. (A world in which most people are still stumbling around.)

Think about changes in underwriting when commercial sailing vessels powered by wind changed to wheel driven ships powered by burning wood, wood and then moved along by metal propellers powered by diesel. Significantly, all of this happened relatively slowly. Keep in mind that wind driven ships and insurance lasted together, albeit sporadically for well over 1000 years. Paddle wheelers stayed around for more than 100 years and were never really ocean-going. And ships metal based in part have been with us for well more than 100 years.

Insurance underwriting has been confronted with new problems slowly. Even now it is confronting a new realm as cyber technology as transformed maritime transportation and therefore maritime insurance. (The May 12, 2014 issue of BUSINESS INSURANCE contains several articles on exactly this matter. The central one is entitled Marine Sector Struggles with Cyber Risks.)

Hull insurance in contemporary commercial aviation has a set of cyber problems, even though the industry is younger—probably around a 100 years or so—and involves different equipment (obviously enough) and probably a more complex financial system, at least because there are 1000s more separate flights every day than there are journeys on the high seas, large lakes, deep rivers, and canals. No doubt the complexity of the cyber equipment is more complex on airplanes than on even the largest ships, given the speed at this the insured entities are traveling and where they are in relation to the surface of the earth. Commercial jets are a jungle of enormously high speed cyber systems. For discussions of the insurance niche when it comes to commercial aviation, see Peter Greenberg, The Big Money Surprise About MH370, 169.7 FORTUNE 11-14 (May 19, 2014). [MH37 is the Malaysia Airline jet that was lost in the Spring of 2014.) (This article points out how fast hull insurance, as opposed to personal injury claims, including death claim, is paid and how many insurers may be involved in insuring on hull, e.g., one for some “ordinary physical destruction” and one for terrorist caused destruction. Greenberg does not discuss reinsurance and its levels. Nor does he draw a distinction between total and partial destruction, and he says nothing about cyber complications. No doubt the cyber category creates a whole new set of problems

At a more big picture, indeed, grand, level, think about the industrial revolution and its aftermath. Property insurance began to come of age slowly in the Eighteenth Century starting with the spread, as it were, of fire insurance, that started in “dribs and drabs” in the previous century, and then very slowly expanding out from there. It has now been called the “First Industrial Revolution It came about in a mere couple of hundred years, or—maybe—a little less. Then we had a “Second Industrial Revolution”; it has lasted around 150 years

That seems fact to those of us that studied economic history in university, but it is nothing compared to what we are talking about as hi-tech history up to know and on into the further. See Erik Brynjolfson & Andrew McAfee, THE SECOND MACHINE AGE: WORK, PROGRESS, AND PROSPERITY IN A TIME OF BRILLIANT TECHNOLOGIES (2011). The see this as a “Third Industrial Revolution” but mostly call it the “Second Machine Age”; they do this in order to emphasize that its essence is to produce knowledge of a new kind and at a different rate.

While all of these observations and speculations are true, two important relatively unrelated points should be made. Senior level underwriters are faced a truly breath taking array of pressing and significant problems, even outside the so-called cyber-world. I say “outside” because elements of the cyber world now permeate the so-called real-world.

Consider for example the following. At first it seemed to many that cyber policies would cover both “far off” cyber entities and the “close in” already familiar entities. Material (or physical objects) were the paradigm. But the mixture of categories did not work well for a variety of reasons. As a result insurer began trying not to pay for things like software when it was damaged. Sometimes they succeeded, sometimes not. After a while, they began to construct new exclusions, and they have worked: most cyber entities got excluded. Thereafter, some insurers began to exclude in so-called real-world policies—like CGL derivatives--all coverage for event having principal causal bases in so-called cyber-space. That has worked too. The trouble was an is that there had to be policies that mixed the so-called different worlds together. No easy task. It will get harder. How should robotic devices be insured? All sorts of things can happen to them. They could wreak all sorts of havoc, whether at directions from some human or some other robot or by some defect inside itself—whatever “inside” might mean.

The overall pressure an underwriters is immense. As I contemplate their burden I am put in mind of the famous Munch painting(s)—the one(s) on a bridge and other than the “Madonna.” In my view the frontline underwriters should not only be lauded, they should be regarded as something like heroes of a commercial and insurance revolution. (When I say “insurance revolution,” I am not suggesting that fundamental principles will change; the “Principle of Fortuity” will not change but a great deal that surrounds it will.)

Since this is the digital age, virtually all of every underwriters work is paperless or nearly so. In addition, all underwriters work together at some time and in some way. “Round Table” discussions are common now; groups that talk to each other with different ideas plus civil and suggestive criticism is always a source of improved thinking.

Even today, they are almost always “vertical” to some extent. This means that the less experienced are sitting together with the more experienced and more knowledgeable. This organization, however, must be, and usually is conceived as a sort seminar, as well as other things, so that ideas can be exchanged and debated and the less experienced and knowledgeable can gain from the more so. Practical wisdom can sometimes be derived from these sessions, whether they are regular (“Every Thursday morning at 7:30 both face to face and on Skype [or its progeny].”), instantaneous (“Good God. We all need to talk about this. Get it set up right quick.”) or irregularly as needed. How vertical practice will work in the cyber world is not yet clear. One must be inclined to think that at some level of cyber-techno-learning, and further development of education, etc., plenty of such help will be integral for years to come, especially given the speed of innovative development.

Now let’s take a look at the four levels. As the paragraphs go along the reader should keep in mind how changes in underwriting will function, how the relationships between underwriting and adjusting will work, and how the setting of reserves can be done when insurers are awash with rapidly moving tech innovations.

The function of Everyday Underwriters is to review routine applications, look for problems in them, seek to correct the problems, accept or reject applications, handle pricing within certain specifications, add some standard form endorsements, instructions for issuing digital dec sheets, deal with intermediaries on routine matters, for example, answering some relatively uncontroversial questions, dealing with adjusters asking questions (for example, when one of them asks a question about the company’s reading of the policy), have work reviewed, handle some audits of other everyday underwriters, very seldom answer outside lawyers’ questions, even more seldom attend deposition, quite rarely be deposed as to what s/he has done, and perhaps rarest of all, be deposed as a 30(b)(6) type witness. And, of course, there are other activities as well.

How routine this type of underwriter’s work is depends upon his/her level of experience, accomplishment, intuitions, articulateness, and so forth. As already indicated, there is a range of activities this type of person performs.
As a general rule, intermediaries do not play a significant role in underwriting at this level, except to be a purchasing agent. Usually they are independent contractors, and that is the way insurers want to look at them. It may be difficult to convince others of that view if the agency has the same name as the insurer, at least roughly speaking. Consider an agency named "State Farm."

Mid-level underwriters do much of the same sort of thing, but for more complex policies. They have more authority to add, subtract and alter endorsements. They also supervise Routine Underwriters (and lower level “Midlevels”), provide advice, conduct Roundtable Discussion Meetings, and report. They are managers, internal consultants, representatives from appropriate intermediaries, insurance thinkers, etc. The size of policies with respect to which they have substantial authority may be quite large, and their size is likely to grow over time.

Their involvement in litigation is higher than the Everyday Underwriter and quite often larger than that of the underwriter of even the Creative Level. At the same time it is true that in some litigated cases, the insured seeks to exclude underwriting files from discovery, and they often succeed except in quite large cases. All underwriters are “isolated” and “protected” from policy holders, third parties, and the general public. The closest to the public is underwriter education conferences, at least as a general rule. At the same time, it is worth notice that some large underwriting operation have members that more or less specialized in litigation involvement—as 31(b)(6) witnesses—and otherwise.

Creative underwriting is quite different from the other two, and even separated from them, in many areas of responsibility, except with respect to various kinds of leadership, teaching, and dialogue. Creative underwriters are, to a considerable extent, designers of a great many things. They too are thinkers—imaginative thinkers.

Often their work is done in groups, to some extent, some of them internal to the company and some of them not. Those outside the company can include companies that design standardized policies, industry representatives, other insurers, reinsurers, brokers, groups of brokers, various businesses of professional associations, sometimes interested governmental agencies, sometimes lawyers, and occasionally academics, often from B-schools.

Here are some examples of their topics; it is incomplete: new policies, new parts of new policies, revisions of old policies and old parts, principles for conducting sound underwriting at various levels, the types of activities to cyber-insure and how, what perils to insure and how, what types of persons in those areas to avoid insuring, what preconditions to impose, what continuous acts, omissions to require or forbid during the coverage period, and so forth.

Their creative thinking has become especially exercised in even more comprehensive ways with the coming of the early stages of e-insurance in the populous cyber-world. If it needs insurance—and it does—it will fall to the Creative Underwriters to design the policies the new era, participate in creating a corporate structure for dealing with what has been designed. Of course, this creates ever closer relations with senior management of the insurer.

Naturally, Creative Underwriters are connected—sometimes closely connected—with the finance side of the company, regarding general conceptualizing of pricing and how to handle adjustments to it and regarding how create, digitalize, and allocate reserves. One of the most interesting things about Creative Underwriting in the cyber age is how to determine the basis point for various types of cyber-insurance when there is vastly insufficient actuarial and other information usable to rationally and confidentially ordain a reasonable starting point for large segments of cyber realms; this is not guess work for this or that policy;[i] it is a much larger group.

All of the same points apply to formulating principles for setting reserves. Of course, doing that is a function of senior, experienced adjusters. But building its connection to pricing falls in part to the underwriting department. Sometimes intermediaries can help.

Even trying to figure out how to think about diverse sectors of the realm is guess work to a considerable extent. Closely connected activities will be quite different with regards to pricing. Consider liability coverage for network injury as opposed to privacy intrusions through networks. Consider first-party coverage for extortion versus “network-napping.” Of course, the list goes on and on and on.

Before proceeding further there is a paradox involve in some activities of more sophisticated and "deeper" underwriters. Sometimes they like to conceive of themselves of not really having to understand the language of the policies they underwrite. How they can think of themselves that way is beyond me. One cannot decide whether to insure a prospective policyholder without understanding what the risks and perils are, what will be covered and what will not, as well as what kind of business the customer is in. Some of this cannot be done without having beliefs about the contents of the policy, and one cannot have that knowledge without having reasonable ideas about what the language of the policy means. One does not have to be right--though s/he usually will be. But one must have an semantic understanding, and it must be reasonable, if the underwriter's job is to be well done. It is also impossible to price policies in reasonable ways without some probable understanding of what's in the policy.
I have seen a particularly striking case of this paradox in testimony. Consider testimony that goes like this:
Q. As an underwriter would you agree with me that the terms of the policy control what is and what is not covered.
A. Yes, of course, although even if something is covered under the insuring agreement it may be "taken out," so to speak, by an exclusion.
Given the underwriters answer, it is impossible for him to know what is covered and what is not. If s/he doesn't know this, what is he actually doing. I wonder if the witness knows what a "sinecure"is.
There are other errors than can, as they say, pile-on when there are mistakes like this. For example, one of the things underwriters do is to "write" the policies. This activity may be actually writing them, writing part of them, putting them together, selectively picking them selectively off shelves, adding specialized endorsements to standard language (say, where there are multiple endorsements to be had), or review (and therefore to some extent editing them) what someone else has actually "written." The broker (or intermediary) may be the "actual" writing entity. In all of these circumstances the underwriter must understand the language of the policy to a reasonable extent and face up to the fact that s/he may makes mistakes, hopefully reasonable ones.
It's easy to understand what is worrying the underwriters when they testify on the contents of policies. They are trying to avoid getting the insurer stuck with the wrong meanings in the contract and maybe be guilty of insurer bad faith. But the alternative is even more devastating. Contracts are entities essentially involving language and if a party claims not to have a clue as to what the contract terms might mean, they look like incompetent business entities. The maxim "Policies holders are expected to know what is within their policies," applies to insurers; "Insurers are required to know what is within their policies." This requirement is not restricted claims adjusters. Indeed, an adjuster's seeking meaning is one reason s/he might visit with an underwriter.

It must be conceded that large policies covering enormous groups involve quite different amounts of information, the handling of it, storage of it, help writing up use manuals, or the supervision of their preparation and alterations, and (last here but never ever least) policy pricing. The same three parts continue to exist, but the responsibilities start higher, are more complex at virtually all levels, and require more massive negotiation strategies, if not exactly goals. Some health coverages, some municipal coverages, and some large group coverage like professional coverages, e.g., coverage for physicians and perhaps cyber-“architects” may be like that.

Other levels of insurance may often be involved in underwriting thinking. In theory, the three parts of underwriters apply to underwriting at the first level reinsurance and (climbing up the ladder) to retrocession reinsurance, a species of the first “re,” as well. Granted, the three parts of underwriting apply to the two, only at a distance, conceptually speaking. There are at least two reasons for this fact. One of them is that the some of the underwriting work amongst both types of reinsures is derivative upon the underwriting of the primary carriers. Another is the existence of the “follow the form” and/or the “follow the settlement” clauses found in contracts of reinsurance. A third is that reinsurers do not usually have the large underwriting staffs of big-time primary, and excess, carriers. (See Reinsurer Interest in Cyber Products, THE BETTERLEY REPORT BLOG ON SPECIALITY INSURANCE PRODUCTS (May 13, 2013) (providing mention of the Reinsurance Association of America on May 212013. There is a video attached. For a discussion of RAA, see Cynthia Lamar and Bradley L. Kading, An Introduction to the Reinsurance Association of America, REINSURANCE NEWS 17-22 (August 2004). Mangan and Harrison's ADVANCED UNDERWRITING TECHNIQUES' Chapter 1 is entitled "Reinsurance."

One interesting feature of cyber-policies, which can make the underwriting simpler, is that, while the really interesting features of these policies, is their peculiarly cyber content, some of the policies cover some ordinarily business risk problems, both internal and external. None of them cover all of them. Early in this blog, there was reference to aviation hull insurance. Other cyber policies—most of them--exclude all such coverages and thereby encourage insureds to look elsewhere for that kind of coverage, e.g., those covering real-world business organization problems. This too was discussed earlier in this blog.

Obviously, there are some business organizations that now prefer to have them integrated. That small visage of the primitive policies will die completely out shortly, I conjecture, at least for larger commercial entities, since it does not really help with risk management to integrate the two into a single document, even if one of the areas is placed in an endorsement. It’s simply harder to read, and there is too much danger of what might be called “hostile interpretative diversity.”

One last portrait. At least liability insurance policies can be divided into two claims categories. In one of them covered events must occur during the policy period, whereas in the other it can occur outside the policy period. Usually both types of policies fit together perfectly: auto crashes are like that. They happen on Day#1 and are reported that day or on Day#2, more or less. Policies that cover some types of injuries like asbestos bodily injury might be quite different: exposure to the injuring an covered peril on Days ##1-300 but manifestation of the injury (or something like it) not until Day #6014.

In contrast there are claims-made-policies, and they require at least that the injury from the covered peril be reported to the insurer during its policy period, and they often require both the cause of the injury and the injury itself to occur during the same policy period. (There are variation on this pattern where reports can come later, legal malpractice policies being one of them.)

Naturally, insurers prefer claims-made-policies to exposure-policies aka occurrence policies. Some years ago the industry tried to switch everything over to the system it preferred, the claim-made system. There was a public outcry, coming mostly through insurance regulators. Now, all the cyber policies of which I am aware are claims-made-policies. All of them also have variations virtually all of which can be added by endorsement, e.g., damaging event might happen a bit before the policy period and/or claim might be made slightly after the policy period. Determining how to handle these options and what to charge for them is a real underwriting headache in the world of cyber underwriting.
Now we come to what might be a nightmare when it comes. Sooner or later customers for cyber liability insurance will be asking for or demanding what I have been calling "exposure-policies." There will be some real pressure on lots of insurers to begin using that form. The industry will resist. Some insurers might capitulate for the sake of premium dollars. Now. . ., that is an underwriting nightmare.
Not much has been said about Managerial Underwriting. Obviously, it will have to do with reinsurance at its various levels, ratemaking, Again see Mangan & Connor, ADVANCED UNDERWRITING TECHNIQUES, Chapter 2 and will overlap Creative Underwriting at various levels, most significantly designing underwriting policies, meaning not just this the policies themselves but policies of the insurance company as to property underwriting procedures. Id. at Chapter 4. At Managerial Underwriting goes higher in the "chain of command" the more it will become a kind of financial underwriting, and by this I do not mean insuring financial entities--that is done below--I mean the use of financial techniques and idea in designing underwriting function/department policies. Id. at Chapter 3.
Financial underwriting has at least two levels. The lower one is the organization and use of data--a cyber activity these days--thinking about different types of data, grasping how statistic and probability work, and so forth. A yet more advance level is understanding and/or working with the connection between contemporary insurance thinking and recent innovations in financial theory.
The financial dimension of underwriting if a changing field. Traditionally, it has been viewed as a determinate of actuarial success, experience, professional intuition, and good luck. Currently there are those who argue that insurance underwriting should be received as a financial activity. Eric Briys and Francois de Varenne, argued in their book INSURANCE FROM UNDERWRITING TO DERIVATIVES (Wiley 2001) that "[t]he contribution of financial economics to property-casualty insurance pricing is highly valuable. Indeed, it helps to push the traditional actuarial approach toward a more focused market orientation, and this is especially timely given the current emphasis on the convergence of of capital markets and insurance markets." (p. 27).
For example, Briys and Varenne claim that "the insurance policy is the functional equivalent of a put option." (p. 25). And they further claim that their new work of what I have called "managerial underwriting" natural event are being secularized and then being placed with investors in the form of derivative securities or structured notes." (p. 31). Indeed, they say, "[t]he Chicago Board of Trade has launched several derivative contracts in which insurance risks are the underlying assets." (Id., et passim.)*
In theory, at least, cyber insurance is an ideal place to develop this transformation. For one thing, there is no serious basis, much less, experience or tradition, of sound actuarial reasoning. For another, we have whole nearly new fields of insurance and therefore insurance underwriting. What a good place to start anew with conceptualizing and applies new ideas, dispensing new knowledge and forms of reasoning. For a general and less technical of the general ideas expounded by Briys and de Varenne, see their THE FISHERMAN AND THE RINOCEROS[: How International Finance Shapes Everyday Life] (1999).
*(If course, one cannot help but wonder how thinking has developed among sophisticated and finance savvy high-level underwriters following the 2008 financial disaster and the role of the derivatives in it.

It should be kept in mind, that some blogs are drafts of what may (or may not) become larger, different written work. They are designed to be just that: drafts, with room for improvement. There are also cyber-typing-tech problems here and there, e.g., I can't always get lines to indent, as is illustrated in this very blog.