Risk Insider: Phil Norton

Twenty Four Towers Burning

By: | January 4, 2016

Phil Norton is the Senior Managing Director of the Management Liability Practice at Arthur J. Gallagher & Co., and is regarded as one of the world’s leading authorities in his field. He has been named a Risk and Insurance® Power Broker® seven times. He can be reached at [email protected].

In the early 1990s, I had access to good D&O data for a while as the head of the D&O practice for a global consulting firm.

We developed benchmarking techniques for D&O based on a firm’s ownership structure, industry and size.  But problems quickly emerged.

Specifically, all the companies in certain market segments were under-insured. The reason was they were benchmarking against each other and buying inadequate limits.

I went to work on modeling D&O risk as an alternative to benchmarking.  Fast forward and D&O modeling is the rage.  But what is now equally important is the modeling of cyber risk.

When I visited the top cyber insurance carriers earlier in 2015, we discussed the marketplace as one of “24 Towers Burning.”   We were not referring to a sequel to the Lord of the Rings.

We were describing the number of cyber breaches where the company suffering the breach purchased a layered tower of cyber insurance and the claim was burning through every layer.

This led to higher prices in 2015, especially in the excess layers.   Modeling cyber has thus become exceptionally important in evaluating both limits and viable excess pricing.

One big contrast between modeling D&O and cyber is the consideration of industry.   For D&O modeling, industry is fairly insignificant. It does not correlate with severity.

For cyber modeling, industry is hugely important.  Studies show certain industries to be higher risk than others.  Carriers apparently agree, as they very carefully underwrite health care, retail, financial institutions and higher education.

Once we combine industry with the number of employees and revenues, we can model cyber risk quite accurately. Regardless of industry, cyber risk needs to be diligently reviewed.

One big contrast between modeling D&O and cyber is the consideration of industry.   For D&O modeling, industry is fairly insignificant. It does not correlate with severity.

The goals are simple:  get the right amount of cyber protection via risk management practices and procedures, buy appropriate limits of insurance (for the right price) and take all other steps to ensure against the possibility of a D&O derivative action.

Modeling can help you determine what cyber limits to buy, but for a successful renewal, your IT department must operate with tough security measures, end-to-end encryption of sensitive data, incident response preparedness and Payment Card Industry (PCI) compliance as applicable.

The D&O policy is a proven tool for reducing risk, and is designed to cover many types of claims, including derivative actions.  Derivative actions are considered especially dangerous.

Settlements of derivative actions are generally covered only by the Side-A insuring clause of a D&O policy, as indemnification for such settlements is not permitted.

A typical derivative action is brought by shareholders on behalf of the corporation against the individual directors and officers.   It would be against public policy to indemnify individuals with corporate monies when the settlement is for individuals to pay back the corporation.

Thus, derivative actions have dramatic significance because they threaten personal assets. Insurance becomes the first line of defense.

There have been two recent trends pertaining to this subject:  1) the increase in the cost or severity of derivative actions; and 2) the increase in frequency of derivative actions that allege the mismanagement of corporate cyber protections.

The best defense against this dangerous subset of D&O claims is to employ effective cyber security practices and to purchase adequate cyber insurance limits.

More from Risk & Insurance