Training insurance agents and brokers in cyber risk

In the past year, tremendous regulatory developments have taken shape in the realm of cybersecurity, fiduciary responsibility and legal liability for licensees. Starting with the State of New York’s Department of Financial Services (NYDFS) Cybersecurity Requirements and ending with the National Association of Insurance Commissioners (NAIC) Model Law. Beginning in just a few weeks this March, entities are required to file their cybersecurity plan.

While this is widely believed to be just for financial organizations like Chase, JP Morgan, etc., it does in fact apply to insurance companies as well. What is interesting to note is that insurance agents and brokers are required to complete training on a regular basis (also known as Continued Education “CE”) credits.  There are many curriculums that focus on latest updates in underwriting property & casualty, healthcare, general liability, etc. However, a recent search of available options to train agents and brokers how to evaluate the cyber risk profile of an applicant or even internally assess their own cyber hygiene for compliance with NYDFS is nonexistent.

Recently I had the pleasure of speaking with Cheryl Matochik of the Council for Insurance Agents and Brokers (CIAB). One of the topics we covered was the concern a number of insurance stakeholders have about providing adequate resources to agents and brokers on cyber risk matters. Ms. Matochik advised that the CIAB has been contacted by numerous cybersecurity technology firms and professional service providers, but the scope is not addressing how to provide the critical knowledge transfer to the insurance workforce.

Having this degree of knowledge is crucial in making quality decisions on not only evaluating the likelihood of a cyber claim from a client, but also what legal exposure does the licensee possess with the personally identifiable information from their book of clients.

The exposure to risk may be compounded as a result of a recent decision by the U.S. Supreme Court to deny CareFirst a hearing on future harm being a new standard for having standing in a federal civil case. On Tuesday, February 20^th, 2017-  the Supreme Court “denied certiorari” in the CareFirst vs. Attitas case. What this means in layman’s terms is that when a cyber breach of personally identifiable information (PII) occurs, the “harm” no longer has to be proven to have occurred.  Due to the many breaches resulting in future claims of identity theft, credit card fraud, and other crimes, the victim of a data breach has a reasonable expectation that harm will follow.

While none of the 50 States have yet to ratify the NAIC Model Law, noted exceptions are New York and Colorado for implementing parallel requirements, the outcome of the CareFirst case could be a basis for a number of state insurance commissioners to recommend adoption and submit to state legislators for ratification as a state law.

If we take into consideration the exposure each individual representing themselves or each individual representing their company as a point of contact, millions of applications in both electronic and paper formats should be reasonably protected. For licensees that work in New York, Philadelphia, Boston, Washington, D.C., or even Miami, how many clients are defined as “European Residents”?  Notice the term resident and not citizen. In just a couple of months, the General Data Protection Regulation (GDPR) also kicks in and will have profound legal and financial exposure implications to the insurance stakeholder communities.

If you are a licensee and you have concerns about your exposure to these matters, you should contact your corporate office and your state insurance commissioner to drive interest in making training on these matters available.  As an aging workforce begins its natural path to sunset in the insurance industry, Gen Y and Millennials alike, need a path to protect their organizations from increased exposure to volume and value of claims as well as personal liability that could be financially devastating.

The CIAB and other entities are exploring options that will best serve agents and brokers. Right now, the approach is to not have an approach outside of leveraging questions on an application where a simple response of yes or no are the only options. This legacy style of assessing risk is problematic as recently observed by the Ninth Circuit enforced a D&O Policy Recession for a policyholder’s application because of the limitations of a simple yes or no.

A slit panel of the U.S. Court of Appeals heard a case where Western World Insurance Company squared off against Professional Collection Consultants. This case stems from a proposed discrepancy in how the D&O policy holder answered a question with a response of “no” to an insurance application question pertaining to if the applicant had a reasonable belief that a wrongful act, etc. either has been or was expected to take place. 

Because of the limitation of a yes or no answer, the applicant allegedly believed they did not have a reasonable belief.  But the court found that because of the wording of the question, the opposite held true. While this was for a D&O policy, there are similar concerns that exist for standalone cyber policies or Tech E&O where cyber is embedded within that level of coverage.

On March 6, 2018, the CIAB is hosting an event for their LEAD conference where fiduciary and other legal concerns that apply to cyber risk will be featured. As the regulatory landscape becomes more restrictive exercising punitive sanctions against companies that fail to demonstrate have adequate cyber hygiene in place, the insurance sector is business justified in providing training to agents and brokers on these matters to limit the exposure of a claim or defending a position in court.