Podcasts

And again, if you have those good risk control measures in place, you're starting to see some real rate relief. Coupled with that, you're also seeing strong favorable changes in coverage terms. It's interesting, even as the frequency of ransomware attacks has increased by a magnitude of double-digit percentage points or basis points, the success rate for those ransomware attacks has gone down substantially because the underwriters are starting to see a cause and effect. They're starting to see that that pain caused by those rate increases has led insureds to invest in even more sophisticated and robust cybersecurity measures.

And that has resulted in some real successes in combating the ability of these ransomware actors to get into these systems. We're starting to see some real relief in terms of coverage grants, reduced retentions for claims against insureds for violation of privacy rules and regulations. Once you show the underwriters that you have the capabilities and the structure and the framework in place to prevent these kinds of claims, you're going to see some broader coverage and reduced rate.

Heather Weaver: Thanks, Josh. You mentioned ransomware and privacy violations a couple of times here. And recent years, cyber-attacks, ransomware, all of that, those types of malicious acts have been increasingly more common and have been a hot topic. But one hot topic in the cyber space lately is insurance coverage for non-malicious widespread event outages, such as the CrowdStrike outage. And for any of our listeners who don't know about this, CrowdStrike is a leading global cybersecurity company that offers cloud-based software called Falcon to protect its clients' businesses from cybersecurity attacks.

And the company has been hugely successful, widely adopted by many Fortune 500 companies. And in July of this year, it released a software update that crashed over 8 million Microsoft Windows operating systems. So, been reported that this outage has created a multi-billion dollar in financial losses to companies. So, one hot topic that we've been thinking about more is whether traditional cyber policies cover these types of non-malicious events. And what can policy holders do to try to increase insurance companies' appetite to ensure this type of risk?

Josh Weisberg: Right. So, it's a great question. You and I have discussed this before. When the CrowdStrike failure happened over the summer, I actually was getting ready to do a webinar on artificial intelligence and claims. I know Lynda wants to do a separate webinar on artificial intelligence, and I can't wait to do it. But I was prepared to go on the stage, so to speak, and then the blue screen of death happened. Suffice to say the webinar got canceled. We ended up doing it at a later date. But more to the point, it just shows you the broad reach of these events. And there's real concern amongst cyber underwriters. Happens to be that in this particular instance, the losses associated with the CrowdStrike event were relatively contained to what could have happened in a worst-case scenario. But there is some real conversation that's going on within the marketplace about what needs to be done to hedge risk against the next event, which might be far more substantial, happened.

In this particular instance, most insureds, most policy holders were able to get their systems back up online within what's called the waiting period that's built into cyber insurance policies for business income loss. So, for example, if your systems are shut down because of a covered event and you lost income or your ability to do business for a period of time as the result of that shutdown, that's covered as business income loss potentially under your cyber policy. But there is a deductible that applies to that period. It's usually a number of hours. And in this instance, the number of hours that policyholder systems were down as a result of CrowdStrike, fell within that deductible. So, again, the losses were relatively contained, but what we're starting to see is carriers are reacting to the CrowdStrike event and in some instances, they are looking to restrict cover.

They're looking to either outright reduce coverage for business income loss under cyber policies. And there's a separate kind of business income or business interruption coverage that's called contingent business income coverage. That covers you for, let's say, a ransomware event or something like a CrowdStrike event that does damage or that shuts down not your computer systems, but the computer systems or the network that belongs to your vendor, that belongs to your bank, that belongs to one of your suppliers. And we are definitely starting to see some insurance companies that are outright excluding coverage for a contingent business income coverage because of this concern about the next CrowdStrike event, one of the corollaries to all of that.

Heather Weaver: In this space, contingent business interruption coverage seems like it's something that would be extremely important. But also, a greater risk to an insurance carrier, because an insurance carrier can vet the insured's security systems and processes and procedures of the event of an outage. But when the insured does business with all of these different third parties, it would be more difficult, I would think, for an insurance company to vet those other parties. Do you see sublimits on contingent business on interruption coverage? Are there things that policyholders could do to make their insurance carriers more comfortable providing insurance for contingent business interruption loss?

Josh Weisberg: Great couple of questions. I would say two things. First of all, you obviously need to look at the policies on the front end. Let's say your carrier is willing to provide coverage for contingent business income loss. You still need to look at the coverage triggers. And that's where your coverage counsel and your broker will come into play. There are markets that will offer coverage for what we call non-malicious events for contingent business income loss, human error, programming error. There are carriers that will offer the coverage. There are other carriers that will not necessarily offer the coverage but remain silent on whether or not their policies provide coverage for it. And then there is a third group of carriers that outright exclude it. So, understanding which bucket you fall into on the front end, regardless of whatever limit the carrier might be offering you for what a business income loss, that's definitely step one.

Step two, how can you convince your underwriters that they should look at your risk as having more favorable contingent business income exposure? They definitely want to see that you have the appropriate vendors in place, the appropriate cybersecurity software vendors, the appropriate training vendors, outside vendors that train your personnel on cybersecurity measures, and they want to see good contracts. And the contracts, it can definitely be a thorny issue. It's a complicated issue because in many instances, and this was why we publicized the CrowdStrike event, in many instances, those contracts contain fairly restrictive wording in terms of a customer's ability to file some form of claim against a programmer, a software provider that provides cybersecurity systems, precisely because of the exposure associated with the event.

So, understanding what those contracts look like and making sure that your underwriters are comfortable with the names of the vendors and their reputation within the marketplace, that's how you get carriers comfortable with understanding that you are a good contingent business income risk. But the reality is, as you pointed out before, there's only a limited amount, a finite amount of work that a cyber underwriter can do to check out those third-party providers and third-party systems.

Lynda Bennett: And Josh, I really want to emphasize that last point that you made on the third-party providers, because Heather and I have seen this movie many times before. When you look at the contracts between the policyholder and the vendor, they're usually drafted by corporate lawyers who don't know how insurance works. They don't know the words that they use. They don't know the impact that the indemnification provision, the reps and warranties that are made in that agreement, how that all rolls back to an eventual insurance claim. And so, as you're correctly pointing out here, a cyber policy is one of many ways that you can manage your risk exposure, but so is, again, being proactive and forward-thinking when you're entering into those contracts with those vendors.

And I would strongly encourage our listeners not just to have that be a box-checking exercise of making sure there's an insurance provision in your contract, but also asking to see the policies on the front end. And I know it's a big ask, and I know people say, "Oh, it's so hard to do," but Heather and I have dealt with this time and time again on the claims side. And I can assure you of one thing, there's one guarantee: you're not getting that policy after a claim has happened. So, if you're not thinking about and paying attention on the front end, you're really kind of rolling the dice when you have a claim on the back end.

Heather Weaver: Josh, on our last episode, you also mentioned that you're seeing changes in the general liability and excess markets. Can you tell our listeners a little bit about that? What have you seen in that space over the last year?

Josh Weisberg: So, what we're seeing in the casualty space, and particularly in the excess casualty space, is what we've been seeing unfortunately over the last five years or so, I would say. Social inflation, which is this study of jury verdicts and particularly jury verdicts that are being returned in the personal injury space. They have gone up exponentially. Year over year, we're seeing higher and higher returns. Some of that is a product of COVID, but it definitely does have, it's an array of different factors that are driving these numbers. The more carriers are paying out on jury verdicts related to personal injury cases, the more the cost associated with those payouts are being passed on to the consumer, in this case, passed on to the policy holder.

We're still seeing, again, particularly in the excess casualty space, we're still seeing double-digit rate increases. If you're venued or if your business is located in higher value jurisdictions, for example, in the Northeast, the Southeast, and certain places in the Midwest and on the West Coast, you are seeing even higher rates of increase on your umbrella renewals. It's very difficult out there right now. What insureds need to be aware of as they're approaching renewal is making sure that they're having close conversations with their broker.

Lynda, Heather, and I had a conversation about the macro trends within the marketplace in our discussion about property insurance. And the truth is, you could have a phenomenal loss history as a casualty insured. You could have a history of 35 years of never having a single claim that penetrated your umbrella or excess layers of insurance coverage. That's really not going to have a material, material impact on whether you're going to see rate increases. It certainly can have an impact on the magnitude of those increases, but everybody's feeling the pain in this particular space. We're starting to see more restrictive coverage in the excess casualty space, because carriers have historically priced this coverage with the expectation that umbrella layers are not going to be penetrated, they're not going to be attached. And that's starting to happen with more and more frequency.

It's gone up since 2019 to 2024. It's more than doubled the rate at which carriers are seeing excess penetration into excess layers of coverage. And that's translating into more restrictive terms, both on the primary level for your commercial general liability insurance, and again, on the excess level, on a following form basis. We're starting to see assault and battery exclusions on casualty insurance policies, firearms exclusions on casualty insurance policies, habitability exclusions. So, exclusions outright for claims that relate to a property owner's failure to provide a habitable premises, if the risk is an apartment building, say for example.

Really understanding what the pain is potentially going to look like at renewal, so you can plan for that. And understanding what kind of restrictive coverage may or may not be available to you as a way of possibly providing some form of rate relief and understanding what those costs and benefits are. That's where the global conversation happens between your broker, between your coverage council, and the policyholder to make sure you're making the most educated purchase when it comes to your insurance.

Heather Weaver: Thank you, Josh. This has been a very insightful and interesting discussion on insurance trends over the last year. You've provided a lot of helpful information here for our listeners. As we approach year-end, why don't we talk a little bit about what policyholders can expect in 2025? Where do you see the insurance market headed next year, particularly in light of the new Republican administration?

Josh Weisberg: Wow, that's a question. I would say, first and foremost, anytime that there is a change in the political structure within the US, there's going to be some kind of impact. And that will be felt in every business sector. Insurance is no exception to that. It's going to take some time. I don't know if we're necessarily going to see some of these impacts in 2025. I think where you definitely will see the more immediate impact is certainly, and I'm not an economist, but to the extent that rates go down or interest rates go down, that increases the ability of reinsurers and their seating carriers to provide more capacity. When rates go down, the cost of money goes down. If the cost of money goes down, premium potentially goes down.

So, if there is anything that I would say, you could expect a more immediate impact, it would be there. And again, time will tell whether or not rates actually go down. The other area where you may see a tailing indicator or tailing impact, I guess, would be if and when there is a trickle down to the state level and, or within the lower federal level tort reform. To the extent that there has been some kind of sea change or some kind of change in the local government level that might provide a more favorable environment for tort reform, that could definitely have an impact as well.

We've seen it already, actually. Just as an example, last year, Florida passed a whole series of tort reform initiatives, particularly in the negligent security space or the premises liability space. And we're seeing a real effect there. How long it will take for that to translate into rate relief in the world of casualty insurance, that's going to take a little bit more time. But to the extent that now that expands into other states, that might be an area where insureds will see some kind of benefit.

Lynda Bennett:  Well, we're certainly hoping to see a difference in the claims environment in '25. Because I don't know, Josh, if you've seen this, but over the last couple of years in particular, while those interest rates were really high, we saw carriers taking some pretty extreme positions across all coverage lines. And the skeptics slash policyholder advocates that we are believe that the carriers were making a determination across their books of business, that it was better to drag out the claims process and hold onto it and get some pretty nice interest on claims proceeds that aren't paid immediately. And do you have views on that? And if those interest rates come down, do you think that'll have a direct impact on the claims environment in particular?

Josh Weisberg: A really interesting question. I might answer it a little bit differently.

Lynda Bennett: You must be a lawyer. That's good.

Josh Weisberg: Yeah. I'm going to come up with a different answer. I think that there is a different driver, which might be that to the extent that rates come down and carriers are competing for business on what we would call a softer market level, that will definitely have a trickle-down effect on claims handling. The more competitive the environment is, the more insurance companies are competing over that business, the more favorable the environment is, honestly, for policyholders and for underwriters alike. You may see some kind of help there. I can't say that the rate of return on money is necessarily driving any particular claims adjusters the decision on whether or not they're going to settle a claim.

I do think that as we get further away from COVID, especially for example, in jurisdictions like New York, where courts are starting to increase the pressure to get cases resolved and to get them to trial, that will almost certainly help. The faster cases move, the more pressure will be brought to bear on both insurance companies and policyholders to get cases resolved. And that may have a beneficial impact as well.

Lynda Bennett: Well, you do have to keep me honest, and so we'll sort of end it with this, that you're right. One of the first things that clients ask us when we're helping them on the front end and they're evaluating different renewal opportunities, one of the first questions they asked are, "Well, what's your claims experience with them?" And you and I, and Heather all know that there are some carriers that are easier than others to deal with on claims, disputed claims. So, you're quite right about that. So, the more the carriers get put under pressure to pay the claims, the more that may move the needle in one direction or the other of where we're going to be counseling our clients to go.

Thank you, Josh and Heather. This has been a terrific look back and a very insightful view of what's coming down the pipe in 2025. Josh, we are absolutely taking you up on your soft offer to come back and talk to us about AI, and how that comes into play in underwriting and claims. We'll see you at feature episode, but thanks again for your insights today.

Heather Weaver: Thank you, Lynda and Josh. Appreciate.

Josh Weisberg: Thank you.