The California Privacy Act is Coming – Is your Cyber Policy Prepared?

If you are doing business in California you might be unaware that the consumer privacy laws are becoming more stringent espcially if you are not domiciled there.  Failure to adhere to these rules could lead to penalties of up to $7,500 per day.  The good news is that it looks like companies will have until January 1, 2020 to comply.

The most common question I am getting from clients is how does this differ from GDPR?  I am no expert so I will defer to the law firm of Cooley who have done a great synopsis on the Act that can be found here.  Here is what they say are some of the differences:

  • “Obtaining consent under Act differs from the methods required in the GDPR. The GDPR requires affirmative opt-in consent. Under CCPA, consumers need not opt in, but they can opt out of the sale of their personal information. The Act requires new opt-in consent only for the sale of personal information of individuals under the age of 16.
  • ‘The GDPR requires companies to establish a legal basis for processing personal information.  The CCPA does not require businesses to establish a legal basis in order to process personal information, and all processing is legally permissible (subject to some limitations such as opt-in for sale of information).
  • ‘The CCPA requires a particularized disclosure process beyond what the GDPR requires.  This means that compliance with the GDPR’s disclosure process would not necessarily constitute compliance under the CCPA.
  • ‘The GDPR imposes limitations on cross-border data transfers and requires a legal basis for such transfer.  The CCPA does not have any similar requirements.”*

What I see as one of the most important things to be aware of is that Cooley expects regulatory action in the US to be enforced at a more robust level then what we are currently seeing in the EU.

The interesting thing will be how Cyber Insurance carriers handle this.  Will they increase deductibles for regulatory matters in CA much like we have seen with EPL?  Will carriers offer a lower sub-limit for regulatory action?  Will they have exclusions specific to CA or certain regulatory actions?  All of this is to be determined but it is something to be aware of as this could become as the renewal process starts for early 2019 expirations.  If you are doing business in CA your broker should be having these conversations with you.

*Cooley FAQ on CA Consumer Privacy Act – https://cdp.cooley.com/2018/08/02/california-consumer-privacy-act-faqs-1/#section-3



Why Benchmarking Should Not Be Used When Deciding on Directors & Officers Limit

The other day I discussed the rising number of Securities Class Action Filings (here) against publicly traded companies and how they are almost inevitable with just under 9% of all publicly traded companies expected to face a filing in 2018.  D&O insurance will or should respond to these filings which transfers much of the financial burden to the insurance carrier(s).  Almost every publicly traded company has D&O insurance so I am not here to make a case for why you need D&O insurance but instead want to briefly describe what this increase in filings means to the D&O market and take a deep dive on how companies calculate the amount of D&O insurance to carry.

So what is happening in the D&O insurance market?  From a high level, premiums are staying relatively flat unless you are still within the IPO window.  Certain industries, such as Life Science, are a bit more challenging due to claim activity and are seeing rates creep up.  Terms are staying pretty much the same (at least the ones that matter, your broker will always tell you how much your policy improved year over year even if those improvements were irrelevant to you), but I think we may see this evolve over the next 12 months with some recent judicial decisions, time will tell.  Finally, carriers are trying to push retentions (deductibles) higher as a way to remove themselves from trivial legal fees.  If you have experienced something much different than what I have described I would love to hear about it.

What I really want to talk about is how the vast majority of companies go about deciding on how much D&O insurance to buy and why it is probably not the best way to go about it.  So how do companies currently decide how much insurance to buy?  For the most part, they simply look at what they have now, and what their peers are purchasing and then buy accordingly.  Put simply they base the decision off of “benchmarking.”  I think this is the wrong way to go about it.  I have to admit, that this is how I have presented it in the past because it is how most brokers are taught to present D&O insurance.

This is something that I have always given a lot of thought to and deep down knew benchmarking was probably not the best way to go about deciding on the limit of insurance.  For other lines of coverage we take a more analytical approach and try to quantify what a company has “at risk.” We try to determine what a client’s probable maximum loss (PML) is and use this as a starting point for how much insurance to buy.  In D&O, the discussion of PML rarely enters the conversation especially with small and mid-cap companies and instead it is all about benchmarking.

The main problem with using benchmarking for deciding on limit is that benchmarking is a sales tool which is why it is in every broker presentation.  A broker is sales professional, we want you to buy more limit because that means more money in our pocket.  The benchmarking data can be manipulated to show you what the broker wants and that usually means showing that you do not have enough limit compared to your peers.  I am not saying the broker is dishonest or using fraudulent numbers but as we all know you can frame a story practically any way you want with data.  What this also does is artificially inflate the limit that is being bought.  Remember that the broker’s goal is to sell you more limit and every time a company buys another $5 million in coverage that skews the numbers up.

The broker also knows that as the CFO or Risk Manager you will need to present the data to the Board of Directors.  A CFO never wants to go in and have the benchmarking indicate you are underinsured compared to your peers which adds another line of defense for the broker in justifying buying more limit.  How many times has a broker come in and said the benchmarking indicates that you are buying too much D&O insurance and we recommend you scale back?  My guess is you have never heard your broker say that, but there are exceptions.  I can think of a few instance where a company had a large drop in market cap and probably had more limit in place than they ever needed to begin with.  Guess what happened with those companies, they did not come close to exhausting their D&O limits despite the fact there were shareholder claims because of the market cap loss.

How should we go about deciding on a limit?  Like all other insurance we need to focus in on two things – frequency and severity.  How often can we expect claims?  Claims are and should be rare for this type of coverage so we want to look more at how frequently your particular industry has claims to determine how prone vulnerable your company might be to a claim.  How large can a claim could we expect in the worst possible scenario? D&O insurance is driven by severity so this is where we want to drill down and figure out your PML.  What are the average, median and largest settlements for companies similar to yours, whether it be market cap or industry?  What is your company’s risk tolerance?  Do you have cash that could be used in an emergency?  What jurisdiction are you in?  What are the rates of the attorneys you would use and how does this compare to what your carrier is willing to spend?  The other variable is board members, some board members require that you carry a certain limit of insurance or they won’t sit on the board so that has to be brought into consideration as well.

Benchmarking has value, but in my estimation is deemed much more important than it actually is when deciding on the amount of D&O insurance to purchase.  Where I think benchmarking can be informative is on pricing, most companies want to know how they stack up against their peers and whether or not they are getting a good deal.  When it comes to retention it is less important because carriers are trying to always increase retentions so it could be a decision that is not in your hands.  The other variables when it comes to retention are risk tolerance and cash flow, these two things could be much different from company to company.

I doubt benchmarking will be abandoned but I think the conversation has to shift to trying to figure out what the worst possible scenario is for your company.  I understand that benchmarking is nice to look at, makes justifying a decision to your board easier, and that benchmarking is seen as the end all and be all of deciding on a limit.  That being said, with all the data available now shouldn’t we start grounding our decision on what your exposure is versus what your competitor is buying?


What I’m Reading

I hope everyone has a great Sunday, here is what I am reading today: