By Archie Whitehead, Tech, Media and Cyber Broker at New Dawn Risk
Network scanning has become a powerful tool for assessing a cyber risk, as it can offer a comprehensive report of a company’s IT environment and highlight key vulnerabilities at the press of a button. Though these scans are highly useful for gathering information, some cyber markets are starting to use them as gospel when evaluating the risk of potential clients. Cyber carriers should be wary of basing their full rationale off network scans, as this method simply cannot account for all the potential exposures a cyber carrier may be vulnerable to while on-risk.
For example, one major blind spot for network scans is that they do not pick up on a company’s Operational Technology (OT) environment. While this may not be of concern for certain industries, OT does account for a significant portion of cyber exposure in many industries (for example, manufacturing). When OT exposures are not accounted for, the accompanying risk will not be priced accordingly. While this may seem like a great result for the policyholder, who receives comprehensive cover at a cheaper cost, the insurer is putting both themselves and the insured in a precarious situation should a claim arise.
Additionally, network scanning does not take into account a policyholder’s governance – whether that be around culture, the use of employee security training, phishing simulations, or any other tools that can be used to boost prospective clients’ cyber hygiene beyond the realm of IT systems. Once again, subsequent pricing will not accurately reflect the risk at hand when these factors are overlooked.
As prior experience has shown, when loss ratios increase for these carriers, there becomes a need to determine what is going wrong and what needs to be changed. The dependency on scans as an underwriting process poses a hard question: have we learned anything from the last market cycle? Will the same occur again, with insurance companies unexpectedly non-renewing accounts, or unjustly increasing premiums even though the insured has not done anything to warrant such an increase?
If the cyber claims environment deteriorates once more in frequency and/or severity, there is concern that these carriers that have gained a large market share by warranting cheap rates through their scan reports will leave a huge gap in the market, potentially leaving clients stuck without a solution. By extension, this can cause anxiety around having to move policies to alternative carriers and essentially leave both insureds and brokers out to dry. Brokers may be held liable and will have to explain to clients that their cyber policy was placed with a carrier that did not account for all potential exposures.
Ultimately, network scans themselves are not the concern, but the use of such as a substitute for traditional risk assessment could become a major issue. These reports should be used in addition to the other underwriting tools within a cyber insurer’s arsenal; the danger comes in thinking they can replace human rationale and insight. Those in the cyber market should brace themselves for when this scanning bubble may eventually burst…
02 September 2021
New Dawn Risk Group Limited, the international specialty insurance broker, announced today the appointment of Angus Simpson as a non-executive director.
Max Carter, CEO of New Dawn Risk, said: “We are delighted to welcome Angus Simpson to our board. He brings with him a rare depth of board-level experience in the independent London market broking sector, and we have no doubt that he will provide valuable insights and support to our management team. New Dawn Risk is strongly positioned to become an increasingly influential participant in the specialty liability market, and Angus will be a major asset in helping us to achieve this.”
Commenting on his appointment, Angus Simpson, said: “I am hugely excited to be joining the Board of New Dawn Risk at what is, unquestionably, a time of immense opportunity for specialty, privately held, independent brokers in the London market. New Dawn Risk is committed to broadening the range of products and services that it can offer to its clients and is now very well positioned to grow its business over the next few years.”
Angus has a wealth of experience with a career spanning 35 years in the insurance industry. He has set up two businesses, an insurance broker and a Managing General Agency underwriting specialist personal lines business. Earlier in his career, he was a director of a Lloyd’s Broker and ran the Central Broking team at Aon Risk Solutions. Angus has also served as a non-executive director for Kite Warren and Wilson Limited, a Lloyd’s insurance and reinsurance broker.
Notes to Editors
Established in 2008, New Dawn Risk is a specialist insurance broker providing dynamic advisory solutions. We focus on complex, international liability and other specialty insurance and reinsurance. Clients large and small profit from our expertise, creativity and responsiveness – from risk assessment through to claims.
The article below, by Nicky Stokes, Head of Management Liability and Financial Institutions at New Dawn Risk, was originally published in Insurance Day in July 2021.
It is a tough time to be a director or officer. Few can remember an operating environment characterised by quite such a level of uncertainty and array of emerging risks. At the same time, for those looking to transfer some of that risk, the directors’ and officers’ (D&O) liability insurance market has been going through a long overdue period of price corrections, coupled with restrictions on coverage.
The full impact of Covid-19 has yet to be felt and is unlikely to be until governments begin to wind back the unprecedented levels of financial support they have put in place. With the near-term economic and political outlook still uncertain, D&O liabilities linked to company insolvencies are likely to increase.
Of course, the pandemic has by no means been all doom and gloom. Pent-up capital has been seeking an outlet, which has resulted in a wave of transaction activity, driven in no small part by the rise of special-purpose acquisition companies (SPACs). This has brought its own set of risks. A SPAC has just two years to deploy investor capital, which puts the onus on swift action. Rushing to market brings with it the risk of bad deals being negotiated and we should expect claims to be brought against directors and officers as a consequence.
Company executives must also contend with the rising cyber threat, which has been exacerbated by the shift to remote working. Additionally, environmental, social and governance (ESG) issues are climbing up the agenda. With more personal accountability, changing attitudes and the rise of social media, directors and officers are increasingly exposed to claims related to employmentrelated risks, ethics and culture.
Looking ahead, though, the biggest threat over the coming years will be claims that result from climate change and other environmental issues. These are already behind a number of D&O claims, a trend that is only going to accelerate, driven by a combination of three groups of actors: activists, regulators and investors.
Activist efforts
The recent case brought by Greenpeace, five other environmental organisations and more than 17,000 individual claimants against Royal Dutch Shell in the Netherlands has brought this issue sharply into focus. Dutch judges ordered the oil and gas major to implement stringent carbon dioxide emissions cuts within the next few years.
On the same day, a tiny hedge fund – Engine No.1 – mobilised by a dissident shareholder group dealt a major blow to Exxon Mobil, unseating a number of board members in a bid to force the company’s leadership to reckon with the risk of failing to adjust its business strategy to match global efforts to combat climate change.
Given mounting public concern about the environment, activism is only going to increase and it will not just be oil and gas companies that are targeted. They may be first in the firing line as some of the world’s biggest polluters but firms across agriculture, industry, manufacturing, transportation, the list goes on … should expect to come under scrutiny as well.
Climate change is also being taken increasingly seriously by regulators. In 2019 the UK’s Prudential Regulation Authority applied new rules that require certain financial services firms to nominate a senior manager responsible for identifying and managing financial risks from climate change.
In the US, the Securities and Exchange Commission (SEC) is expected to require public companies to publish data on a whole range of new areas, including greenhouse gas emissions, workforce turnover and diversity, as its new chairman looks to enhance the SEC’s disclosure regime.
Gary Gensler, SEC chair, has already said it plans to introduce new climate-related and human capital rules as it steps up ESG disclosures and earlier this month closed a public consultation on a potential new rule, which is likely to be proposed in October.
Investor behaviour
But it is investors that probably hold the strongest hand when it comes to forcing companies to change their behaviour concerning climate change and, by extension, raising the level of risk facing directors and officers should they fail to do so.
Last year, BlackRock – the world’s largest investor – announced it was making climate change central to its strategy for 2021, putting environmental and social priorities at the forefront of its investment approach. With assets under management of more than $7trn, BlackRock has significant influence on most of the companies in the S&P 500.
Interestingly, BlackRock and fellow investors Vanguard and State Street gave powerful support to Engine No.1 in its case against Exxon’s leadership. These huge investment companies rarely side with activists on such issues, so this marks something of a sea change.
Investor pressure is building elsewhere. Launched last year, the Net Zero Asset Managers initiative saw 30 of the world’s largest asset managers commit to supporting investing aligned with net zero emissions by 2050 or sooner. Just last week Amundi, Franklin Templeton, Sumitomo Mitsui Trust Asset Management and HSBC Asset Management announced they were among the latest big investors joining the initiative, bringing the total on board to 128, which means $43trn in assets are now committed to a net zero emissions target.
This is a now a one-way street. Companies across the board need to understand that failing to understand and take seriously their exposures to climate change will have significant ramifications for them and, ultimately, their directors and officers too.
The original article can be viewed here
The article below, by Tom Malcolm, Head of UK Broking at New Dawn Risk, was originally published in Insurance Day in June 2021.
Even though four years have passed, issues in cladding have still not been resolved since the Grenfell Tower tragedy. Individuals and families across the UK are stuck living in dangerously clad properties that are more vulnerable to fire and have plummeted in value, nearing the point of being unsellable unless expensive remediation work is carried out.
In February, the Housing Secretary announced that the government would finally be intervening and will pay to remove unsafe cladding for all leaseholders in high-rise buildings, providing reassurance and protecting them from costs. It will also introduce measures to boost the housing market and free up homeowners to once again buy and sell their properties. This is a very welcome development for affected homeowners but does little to address the issues still faced by architects, another key group impacted by Grenfell.
Architects are unable to practice without a professional indemnity insurance policy in place that protects them against a broad range of potential risks, including professional negligence that might result in property damage, personal injury or financial loss, which might stetch back over many years. The problem is the cost of this insurance has risen astronomically to the point where it poses an existential threat to some architects.
Underpriced cover
Why exactly has this happened? To find the answer you need to look back some time. Architects’ PI insurance had been under-priced for many years prior to the 2017 Grenfell Tower fire. The tragedy (and subsequent Hackitt Report) called into question the safety of accepted design and building practices for high-rise buildings, including the use of many types of common cladding, fire-safety management and the principles and responsibility for the sign-off of any building as being ‘safe’. What this brought to the fore was a number of systemic issues with the UK’s Building Regulations regime.
Previously, any architect’s insurer could rely on the standards and efficacy of all architects’ work being guaranteed by adherence to building regulations, but the confidence of insurers in this as a protection against large-scale claims was undermined by the failings that Grenfell Tower uncovered, including a lack of any clarity over who was ultimately responsible for a building’s safety.
Since 2017, that uncertainty, combined with multiple claims post-Grenfell, has generated fear in the insurance market, with large concerns that the liability may be passed back to the architects and thus the insurers. We have seen many insurers withdrawing from the professional indemnity market altogether. This has caused demand to far outstrip supply, driving up prices to an unprecedented level.
In addition, insurers have also put strict restrictions on the limits they will cover for any one claim, as well as excluding any buildings with ACM cladding from their cover – a significant restriction for commercial architects.
Restrictions in cover also severely limit the types of work architects can carry out, (for example basements, swimming pools, anything fire related) meaning some bread-and-butter architecture project types are becoming close to uninsurable.
The virtually universal restriction on protection for fire safety and strategy in professional indemnity insurance policies issued to architects has led to mistrust of insurers, while insurers have been obliged to take defensive action in response to brokers seeking quickly to “block notify” all projects which may in the future face a challenge to their fire strategy. The ultimate outcome in some cases, and, depending on the breadth of the fire safety exclusion, has been that some firms have had to cease practising.
A way forward
A solution to all this lies with the government. Its announcement in February included a proposal to provide a state-backed indemnity scheme for qualified professionals unable to obtain professional indemnity insurance for the completion of EWS1 forms. Our view at New Dawn Risk is that this proposal should be expanded to include a provision to provide PI insurance covering architects and engineers who specified cladding materials that were within building regulations at the time.
This fund can either be delivered in the form of indemnities directed to the architect, or, we believe more practically, via a reinsurance scheme for insurers of architects, engineers, and other professionals to carve out exposures relating to the specification, inspection and installation of cladding materials that are now deemed to be unsafe. The scheme could be administered through a commercial third-party administrator and claims would be continued to be handled by the insurance industry. Participating insurers would contribute a levy of a percentage of the premium (maybe 5%) to obtain access to the reinsurance fund and would not be permitted to exclude cover for cladding or fire safety claims. We think this will allow the PII insurers to remove the exclusions that are crippling the industry – such as those involving tall buildings, specifications of cladding, etc. – and to moderate the premiums being charged to professionals that are exposed to such historical projects.
Ultimately, this issue has underlined the importance of all parties working together. Insurance brokers and underwriters, lawyers and professional bodies should continue to engage closely to lobby local and national government to broker an effective, long-term solution that supports architects and the wider construction industry.
The original article can be viewed here
What can we expect in 2021?
Silent cyber, also called non-affirmative cyber, is the unknown vulnerability in an insurer’s portfolio caused by any cyber risks that have not been explicitly excluded from policies where coverage was not intended to be provided.Whereas standalone cyber policies define clear boundaries for cyber cover, many traditional policies do not anticipate cyber risks; this does not preclude claimants filing claims, and courts agreeing with them, which could result in insurers paying certain cyber loss claims.
In July 2019, Lloyd’s mandated that all policies across all classes of business must explicitly clarify whether they provide cover for cyber risks by either excluding or affirmatively covering such exposures. They released a timetable for enforcing these measures, issuing four phases and pushing rollout every 6 months. The first phase, applied from 1 January 2020, addressed first party property damage policies. The second phase, from 1 July 2020, covered bankers blanket bond (BBB) and crime policies. The third phase, effective 1 January 2021, addressed professional indemnity (PI), D&O and other liability policies. The final phase will take effect on 1 July 2021, and includes lines such as marine XL, casualty treaty and employers liability/WCA.
With such a short timeline for insurers to become compliant, the industry has seen a trend amongst insurers of opting for umbrella-like cyber exclusions rather than offering affirmative cover when scrambling to meet these deadlines. This pattern has been clearly seen throughout phases one and two, and even the newly-implemented phase three. It is unlikely that we will see much of a difference in phase four come July.
The lack of clarity provided by Lloyd’s when implementing overarching policy mandates has unintentionally created an echo effect, and the gaps in coverage once attributed to silent cyber are now still very evident, but just no longer “silent”. As carriers continue to exclude coverage, the only solution is for policyholders to pursue standalone cyber, which can cover gaps and may offer coverage clients had not previously considered. In 2021 it will be more important than ever to determine whether a separate cyber insurance policy is required and to meticulously ensure appropriate coverage is put in place.
James Bullock-Webster
The article below, by Tom Malcolm, Head of UK Broking at New Dawn Risk, was originally published in Insurance Day in January 2021.
The confidence of insurers in building regulations as a protection against large-scale claims was undermined by the failings the Grenfell Tower fire investigation uncovered.
While all professional indemnity insurance has faced a hardening market during 2020, last year the sub-category of architect’s professional indemnity saw the culmination of four years of tumult, resulting in immense challenges for architects, their brokers and insurers.
The difficulties of renewing and maintaining adequate professional indemnity insurance for architects has caused industry uproar and a swathe of negative publicity within that professional community. The Royal institution of British Architects (Riba) has called on the Ministry of Justice to review the situation but, as yet, no solution has been found.
The problem began with the 2017 Grenfell Tower fire. The tragedy and subsequent Hackitt Report called into question the safety of accepted design and building practices for high-rise buildings, including the use of many types of common cladding, fire safety management and the principles and responsibility for the sign-off of any building as being “safe”. What this brought to the fore were a number of systemic issues with the UK’s building regulations regime.
Tearing up the rulebook
Previously, any architect’s insurer could rely on the standards and efficacy of all architects’ work being guaranteed by adherence to building regulations, but the confidence of insurers in this as a protection against large-scale claims was undermined by the failings the Grenfell Tower tragedy uncovered, including a lack of any clarity as to who was ultimately responsible for a building’s safety.
Since 2017, that uncertainty, coupled with the impact of many years of underpriced policies and combined with multiple claims post-Grenfell, has seen many insurers withdrawing from the professional indemnity market altogether. This has caused demand to far outstrip supply, especially following the Lloyd’s review of underperforming syndicates in 2018, which further increased insurer exits from the segment as they looked to focus on more profitable lines of business.
In early 2020, there were government moves afoot to rewrite the UK’s buildings regulations regime to help improve the situation, but Covid-19 has compounded the market’s issues by drawing governmental attention elsewhere, leaving unresolved issues and resulting in continued uncertainty.
Catastrophic pricing
Much of the impact of all of this has been price-related, with subsequent negative publicity for insurers attached. In May 2020, Architects’ Journal highlighted professional indemnity renewal prices rises of up to 800% and campaigned for government support on this issue for the industry.
By October Riba had issued a further statement, detailing its concerns about the significant restrictions of cover that had begun to be common. During the autumn 2020 renewals, it was reported fire protection was excluded from almost all available architect’s professional indemnity policies.
Insurers have also put strict restrictions on “any one claim” limits; as well as excluding any buildings with aluminium composite material cladding from their cover – a significant restriction for commercial architects.
Restrictions in cover also limit the types of work architects can carry out (for example basements, swimming pools, anything firerelated), meaning some bread-and-butter project types are becoming close to uninsurable.
The Architects Registration Board (ARB) head of professional standards, Simon Howard, recently spoke to Architects’ Journal about the difficulties architects were experiencing in acquiring adequate insurance at an affordable price. He suggested these could prevent some firms operating, saying: “No architect should purchase a professional indemnity policy that fails to provide them with adequate cover for the work they do – and that includes fire safety cover. It is clear that if a firm is employed as a fire safety consultant and the policy excludes these activities, then the policy isn’t fit for purpose.”
The virtually universal restriction on protection for fire safety and strategy in professional indemnity insurance policies issued to architects has led to mistrust of insurers, while insurers have been obliged to take defensive action in response to brokers seeking quickly to “block notify” all projects that may in the future face a challenge to their fire strategy. The ultimate outcome in some cases, depending on the breadth of the fire safety exclusion, has been some firms have had to cease practising.
No quick resolution
Looking ahead to 2021, it seems unlikely any of these problems will be quickly resolved. Architects are heavily exposed to the vagaries of the economy. If GDP falls just 1 %, it .is normal to see a contraction in the architectural market of up to 12%, as large projects are taken off-stream by developers until the economic environment improves. With Covid-19 looking likely to bring a much larger contraction in GDP than 1 %, insurers will, therefore, be extra cautious in the risks they are willing to underwrite this year. The insurer supply is not going to increase and, as a consequence, it is unlikely prices will stabilise in the near term, at least.
Perhaps the only solution is for all parties to work together. Riba is seriously concerned about the rising costs of professional indemnity insurance and prevalence of fire safety exclusions, which pose significant risks to architects’ practices, clients and the public.
The institute has suggested all sides, convened by Riba, should continue to engage closely, including the insurance industry, construction lawyers and other professional bodies, and put pressure on the Ministry of Housing, Communities and Local Government and the ARB to broker a solution that supports architects.
We remain sceptical such an outcome is likely and, in the meantime, look ahead to navigating another challenging year in a sector that makes the rocketfuelled directors’ and officers’ liability market seem stable and positively dull by comparison.
The original article can be viewed here
The article below, by Jonathan Franke, Tech, Media and Cyber Broker at New Dawn Risk, was originally published in Insurance Day in January 2021.
The market must be more proactive in terms of understanding and reviewing policy wordings, to accommodate the new exposures relating to 5G-enabled products and technologies…
The next 12 months will see the scaling up of the worldwide roll-out of 5G networks, with North America, Europe and East Asia leading the way.
The importance of 5G has grown since the onset of the pandemic. With much of the world switching to remote working and with the prospect of home offices becoming the new norm, businesses and individuals are requiring faster, more reliable data speeds. Companies are also adapting to network management across multiple locations to continue operating efficiently.
When it comes to data transmission and storage, the majority of the developed world will soon swing towards 5G, as we continue to transition to a progressively cloud-based economy, and that change brings with it a brand new cyber threat landscape – one that is yet to be clearly understood.
Before considering the insurance challenges 5G brings, it is important to understand exactly what 5G is. It builds on the evolution and development of its predecessors, 3G and 4G, allowing societies to smoothly transition into the increased usage of smart devices and offering faster wireless browsing and streaming. According to Ofcom, 5G is “much faster than previous generations and also offers greater capacity, allowing thousands of devices in a small area to be connected at the same time”.
The 5G roll-out will continue to enhance the expansion of the internet of things (IoT) in almost all industry sectors and many homes, as more and more smart devices connected to the internet become essential equipment. While this technology explosion is welcome, not all manufacturers of IoT devices have made cyber security a priority within their business plans.
Globally, there are now billions of interconnected devices, all communicating with each other; these devices have wide-ranging and differing security controls, leading to an unimaginable number of potential vulnerabilities for criminals to exploit. A lack of shared security standards for IoT devices means network breaches and hacking have the potential to travel widely and loopholes occurring between two unmatched systems could easily be exploited by organised criminals.
All this means criminals have already recognised an opportunity to access seemingly secure networks almost undetected. Consumer and individual data could be compromised simply by having a domestic smart meter to measure electricity and gas usage. However, even more significantly for business insurers, 5G is being used in various industry sectors, from farming to manufacturing.
Investment in monitoring
Pre-5G networks have fewer “traffic points” and this means security monitoring and scanning is simpler, less time-intensive, and less expensive for businesses. However, 5G’s dynamic software-based systems have led to a huge increase in traffic points, and to take account of this, both business-to-business and business-to-consumer companies must prepare to invest in more sophisticated and increased levels of monitoring of their networks, controls and technology.
Companies will need to place more and more reliance on IT experts to ensure adequate protection is in place, in spite of a widening IT skills gap. And they will have to do so at speed – planning for the increased risks associated with 5G should already be well developed. Those who have taken their eye off the ball, perhaps distracted by adjusting their operations to cope with Covid-19, run the risk of increased vulnerability.
The same applies to cyber and technology insurers. They have a responsibility to be 5G-ready too, in terms of making sure their cyber insurance offerings are up to speed and they are providing their clients with adequate protection. It is also a responsibility for insurers to ensure their breach response providers are well informed about the developments and roll-out of 5G, as well as being able to respond even quicker to incident notifications and to start negotiations in the case of complex ransomware demands.
In 2021, we will see cyber insurers and buyers scrambling to be ready for the roll-out of 5G; wordings are likely to change, and coverage could be challenged. Some better-informed and more proactive insureds may start to enquire into manuscript wording to cover the threats relating to 5G-enabled products and technology; it is up to insurers to understand these threats and to learn how to respond to these questions before clients come knocking.
This could make 2021 an even tougher year for this already challenged class. A new and unexplored threat is likely to unsettle insurers and it also poses the questions of how new or changed risks should be rated on a premium basis. Given an increasingly litigious and claims-active cyber sector, we would expect rates to increase and possibly capacity to constrict for new business in the year ahead and 2021 could be a difficult year for cyber insurers and buyers alike.
The original article can be viewed here
