Facultative and Treaty Reinsurance contracts can be designed utilizing pro-rata or excess of loss provisions.

Pro Rate Reinsurance: The primary insurer cedes a predetermined percentage of the risk to the reinsurer. The reinsurer shares in the losses proportional to the premiums and limits reinsured. Two major types of pro rata reinsurance are: quota share and surplus share.
• Quota share agreements require the primary insurer to cede a certain percentage of every riskwithin the agreement to the reinsurer (paying a proportional premium). In return, the reinsurer agrees to indemnify losses suffered by the ceding company in the same proportion. If the reinsurer agrees to reinsure 35 percent of the risk (accepting a proportional premium for that agreement); they pay 35 percent of any losses; and
• Surplus share agreements allow the primary insurer to cede a certain percentage of liabilities exceeding a pre-determined retention. The ceded amount can vary from risk to risk. Premiums and losses are received and paid by the reinsurer in the same proportion.

Excess of Loss Reinsurance: The reinsurer agrees to indemnify the primary insurer for all losses exceeding a specified retention either on a per loss basis or an aggregate loss basis. Catastrophe reinsurance, per risk reinsurance, per occurrence reinsurance and aggregate excess of loss reinsurance are all categories of excess of loss reinsurance.
• Catastrophe reinsurance contracts indemnify the ceding company for all losses in excess of a specified amount resulting from a single catastrophic event;
• Per risk reinsurance contracts apply to individual risks (most likely part of a facultative agreement) whereby the reinsurer agrees to assume losses over a pre-determined amount. The primary insurer pays all losses up to that point.
• Per occurrence reinsurance are similar to catastrophe reinsurance.

• Aggregate excess of loss reinsurance agreements stipulate that the reinsurer will pay ALL primary insurer losses that exceed a specified retention during the contract period. For example, the primary insurer contracts with the reinsurer to insure aggregate losses exceeding $500 million in the period. The primary insurer is indemnified for all loss payments above that amount (subject to the policy premium).

Enterprise Risk Management (ERM) examines all types of business risks an organization faces that may threaten its survival or solvency.

ERM also evaluates every conceivable treatment to minimize, eliminate, or transfer the organization’s risks and determines the best treatments from among the options. It examines the opportunities available to the organization to enable it to select those that will provide the best return on its investment now and into the future.

ERM enables an organization to attain maximum benefit from its opportunities while minimizing, eliminating, or mitigating risks.

Cyber risk exposures present greater challenges and complexity than traditional property-liability loss exposures because they involve intangible assets, such as business data, personal information, and the organization’s reputation. Restrictive options for insuring these types of assets make them candidates for preventive risk management treatment, in addition to the minimal coverage available for risk transfer through insurance.

A cyber risk loss exposure is any condition that presents the possibility of financial loss to an organization from property, net income, or liability losses as a consequence of advanced technology transmissions, operations, maintenance, development, or support. Enterprises engaged in healthcare, advertising, computer hardware or software design and support, online education, and financial services have unique loss exposures that require expert evaluation. Applying ERM techniques to those exposures will help identify the most appropriate treatments for them.

Overview of First-Party Cyber Risk Loss Exposures

Just as personal data constitutes essential elements of an individual’s identity, an organization is predominantly defined by intangible components such as information about its customers and finances, its competitive intelligence, and its brand. When these are compromised, the organization’s identity is at risk therefore understanding the costs of these risks is essential to organizational's survival.

An organization’s analysis of the financial consequences of cyber loss exposures begins with distinguishing among the various cyber loss exposure categories:

• Property loss exposures are presented by the tangible property and intangible property of an organization and its key partners, providers, and suppliers. In the context of cyber risk, tangible property exposed to loss or damage can include any physical means by which data is stored or disseminated and related media; other types of tangible property, such as money and securities, may be exposed to theft resulting from cyber attack. In addition, and possibly constituting more than one-half to three-quarters of an organization’s total value, intangible property exposed to loss or damage can include data, intellectual property, and the organization’s reputation.
• Net income loss exposures that result in business interruption can relate not only to the organization itself, but also to its key customers and suppliers. Net income exposed to cyber risk loss can be discussed in terms of loss of business income (including contingent business income) and extra expenses.
• Third Party or Liability loss exposures related to cyber risk can be discussed in terms of bodily injury and property damage liability, personal and advertising injury liability, intellectual property liability, and errors and omissions liability.

Cyber property loss exposures and net income cyber loss exposures are considered first-party loss exposures, while cyber liability loss exposures are considered third-party loss exposures. The most significant first-party cyber risk loss exposures include these:

• Damaged hardware, software, and computer networks
• Compromised or stolen data and cyber extortion
• Business interruption and extra expenses
• Post-breach expenses
• Reputational damage

Damaged Hardware, Software, and Computer Networks

In the context of cyber risk, tangible property exposed to loss or damage can include data storage and data dissemination equipment and related media. An organization’s data sharing network and its operation can be particularly vulnerable to cyber risk loss exposures such as physical damage and theft, as well as to software damage or corruption.

Such exposures can significantly add to an organization’s costs, as the most effective mitigation techniques for cyber risks related to tangible property loss entail separation and duplication strategies. Separation and duplication techniques require allocating resources for additional equipment and/or facilities to ensure that the failure of one element of the organization’s data infrastructure does not cause its collapse. 

The insurance contract (policy) involves two parties: the insured and the insurer. The insured is the first party to the insurance contract; the insurer is the second party to the insurance contract. A demand by an insured person or organization seeking to recover for a loss from its insurer is called a first-party claim. When an insured injures a third party or damages property belonging to a third party, the third party’s demand against the insurer, called a third-party claim, is based on the legal duties the insured owes to the third party.

Although intangible property susceptible to cyber loss has no physical form, its value to an organization is often incalculable because of its proprietary nature, the difficulty (or impossibility) of its duplication, and the extent to which it constitutes an organization’s essence. Electronic data (for example, confidential information about customers) is particularly vulnerable to cyber loss exposures; these exposures can include corruption through human error or malice, theft, or a physical cause of loss to the medium on which the electronic data is stored, such as damage caused by malware.

Intangible property exposed to loss also can include intellectual property. For example, an unknown third party could obtain unauthorized access to an organization’s data storage and sharing network and threaten to divulge the firm’s trade secrets, a form of cyber extortion. Another, similar form of cyber extortion entails an unknown third-party wresting control of an organization’s e-commerce or data storage apparatus and demanding ransom in exchange for its surrender.

Loss of business income occurs when an organization’s net income and normal operating expenses change as a result of a loss. In terms of cyber risk loss exposures, organizations typically examine potential losses that can occur to data storage and dissemination networks (hardware, software, data, and related media).

For example, the extent to which a denial-of-service attack compromises an organization’s ability to communicate with customers and/or efficiently fulfill orders can reduce the organization’s short-term net income and long-term profitability, as those affected by the service interruption may defect to a competitor.

An additional example of a cyber risk business income loss exposure is a virus that infects an organization’s network, corrupting data and destroying software. Although software can be replaced, at a cost, the organization will sustain a business income loss if it cannot conduct its normal operations during the period of restoration.

Cyber risk contingent net income loss exposures relate to an organization’s income that is dependent on a location that it does not own or directly operate. For example, an organization whose customer web portal is hosted and/or maintained by a third-party provider could suffer a contingent net income loss if the provider’s server is rendered inoperable for an extended time.

Similar cyber risk contingent net income exposures can apply to an organization’s suppliers, utilities, and third-party outsourcers, including exposures related to the consequences of business interruption resulting from a utility’s off-site power failure, from failure of a third party to properly manage and secure data, and from abuse of wireless networks. All of these loss exposures can result in contingent business income losses.

In addition to normal operating expenses, including payroll, that an organization has during a time of suspended or impaired business operations, an organization may need to incur extra expenses to minimize the effects of the business interruption or continue its operations. An organization may have cyber risk extra expense loss exposures if, as a consequence of a cyber loss, it has to purchase items such as software, hardware, or other data storage or dissemination media or hire labor to recreate lost or stolen electronic data.

For example, if a database is compromised, the data may need to be restored or cleansed by technology specialists at an additional expense.

Because of the costly and pervasive nature of cyber losses, particularly those involving the compromise of sensitive individual consumer information such as Social Security numbers and financial account data, their prevention has attracted increased scrutiny.

In this environment, an organization’s possession of data is viewed not only as a consequence of business, but also as a matter of public trust. As such, governmental entities frequently require organizations to notify customers when their personal data has been subject to potential compromise and also may levy fines against organizations that fail to protect certain kinds of consumer information, such as healthcare-related data.

Additionally, an organization, whether it is required by law or does so voluntarily to engender goodwill, may offer to provide credit monitoring services to its customers after a data breach. An organization that does this of its own accord may view it as a component of encouraging consumers to associate its brand with security and trust.

In the wake of a data breach, an organization may also incur expenses related to an investigation of the breach’s source and the extent of its damage. Although an internal inquiry may be sufficient in some cases, other situations, especially those involving sensitive consumer information, may warrant a more thorough examination by a third-party forensics investigator.

In addition to the more readily quantifiable financial consequences associated with cyber risk loss exposures, an organization exposes itself to substantial reputational risk when it electronically stores, shares, and disseminates data.

Reputation is a key organizational asset because of its intrinsic, intangible value and because of its potential to generate (or erode) future value. The value of some intangible assets, such as trademarks and licenses, is quantifiable.

Reputation, however, is not quantified on a company’s financial statements as an intangible asset. Nonetheless, it is a key asset whose value is based on the beliefs of its stakeholders.

For example, an organization’s reputation as a trusted steward of customers’ personal information might give it a competitive edge over time. Conversely, an organization that suffers a publicized data breach may never fully recover from the associated stigma.

Third-Party Cyber Liability Loss Exposures

An insurance professional should know how to manage not just first-party cyber liability loss exposures, but also third-party cyber liability loss exposures. Although first-party losses occur more frequently, third-party losses are typically more severe.

The third party is often the customer of the first-party organization, but it can also be, for instance, a trading partner, such as a supplier or buyer, who receives a computer virus because of the first party’s failure to manage cyber liability loss exposures. Additional damages may be incurred when the third party is a trading partner.

If a trading partner becomes infected with a virus, it may have to stop being a supplier or buyer to the first party, at least temporarily. This could cause a drop in revenue and an increase in costs for the first party as it searches for substitute suppliers and buyers.

When a first-party organization’s database is breached, thereby causing customers’ private information to be released without permission, customers can sue for a variety of alleged transgressions, including negligence, fraud, conversion, breach of fiduciary duty, invasion of privacy and breach of contract. Invasion of privacy and breach of contract are among the most frequently used allegations in these types of cases.

Invasion of privacy includes an organization’s failure to prevent unauthorized disclosure, deletion, or alteration of personal and corporate information such as credit- or debit-card numbers with matching customers’ names or employee names with matching Social Security numbers.

Costs associated with liability for a breach of this nature include defending a regulatory proceeding brought by a government entity for allegedly violating privacy legislation. Typically in the United States, organizations are required by state law to notify state residents when their personally identifiable information (PII) has been disclosed without authorization.

The federal government has also passed legislation to help safeguard customers’ personal financial information. The Gramm-Leach-Bliley Act of 1999 (often referred to as the Financial Services Modernization Act) contains provisions concerning security protection and standards for customer records maintained by financial services companies. Individual states’ attorneys general and the Federal Trade Commission pursue enforcement actions against first-party organizations regarding the security and privacy of consumer information.

A fine or penalty may be assessed against the first-party organization for failing to comply with a law. Some laws also allow for attorneys’ fees to be awarded to the plaintiff in addition to damages.

Invasion of privacy is broad enough to include documents that contain nonfinancial information, such as photos of celebrities. The third-party individuals in these photos may have relied on assurances of security and privacy from the first-party organization that is storing the photos. In the event that the database containing the photos is breached, the individuals whose privacy has been violated could have a cause of action against the organization.

Breach of contract is a cause of action that third-party customers and trade partners commonly use to sue a first-party organization when it fails to fend off a cyber attack resulting in damages. A contract typically exists between trade partners that includes a promise to protect confidential information in the partners’ care, custody, or control.

The first-party organization does not have to act negligently or breach a standard of care to be found liable under a breach-of-contract cause of action. Failure to fulfill its contractual promise is the key issue.

Even the largest cyber security breaches typically do not cause the stock price of an organization to decline far enough to result in a securities class action (class action lawsuit). However, an increasing number of investors are developing a better understanding of how cyber security losses and the costs of breaches affect an organization’s business. This enhanced understanding will probably cause individual organizations’ stock prices to decrease enough to make class action lawsuits more likely.

Plaintiff investors will likely claim that statements made by a first-party organization were misleading because they omitted facts about the cyber security loss exposures faced by the organization. To be successful in asserting this allegation, the plaintiff will need to connect statements with omitted facts.

In cyber security cases, plaintiffs will have an easier task discovering the omitted facts than in other types of cases because of breach-notification requirements, privacy litigation, and government investigations. For example, the Securities and Exchange Commission (SEC) drafted guidelines requiring organizations to disclose material cyber attacks and their costs to shareholders.

An organization can be held liable when its network security fails to prevent cyber attacks. Such attacks may result in, for example, unauthorized access to corporate information that allows the attacker to delete, corrupt, or steal data; denial of service, making the network unavailable for its authorized users; or the forwarding of a virus or other harmful code to another computer.

Other situations in which an organization can be held liable when its network security fails include these:

• Liability for damage to a third-party’s network resulting from a data breach
• E-media liability for libel, slander, infringement of trademark, and copyright

The scope of network security liability includes failure of a first party to prevent transmission of malicious code. The harmful code could initially infect the first party and then forward itself by traveling through the Internet and contacting other, unaffiliated networks, eventually infecting them.

Although the first party may not be the source of the harmful code in such cases, it may, with proper security measures in place, be able to prevent the code’s spread. By failing to secure the network, however, it may not only enable the code to spread, but also be found liable for breach of a duty to keep malicious code from propagating to other networks.

E-media liability can be incurred when a cyber attack successfully introduces offensive content onto a first-party’s website. This content can take various forms.

If it defames or portrays a third party unfavorably in written form, it is considered libel. If the same content is spoken or transmitted by sound, it is considered slander.

A data breach can result in trademarked or copyrighted content displayed on a breached party’s website in a manner that indicates the party owns the intellectual property when, in fact, it does not. Such a trademark or copyright infringement could cause the correct owner of the intellectual property to sue the party with the breached website.

Corporate directors and officers often do not give cyber liability loss exposures an appropriate amount of attention. Experts say that this failure to recognize the potential impact of a cyber attack not only exposes an organization to financial losses resulting from the incident itself, but also exposes the organization and individual directors and officers to management liability losses.

When directors and officers fail to fulfill their responsibilities and duties as required under the law, they can be held liable for resulting losses. The major responsibilities of corporate directors include fulfilling their fiduciary duties to the corporation and its stockholders.

The fiduciary relationship is the most important aspect of the corporation in analyzing D&O liability loss exposures. In addition to performing specific functions, directors and officers occupy a position of trust for stockholders, the board of directors, and the general public.

Breach of fiduciary duty is a common basis for suing the directors and officers. Directors’ and officers’ fiduciary duties include the duty of care, the duty of loyalty, the duty of disclosure, and the duty of obedience.

Directors and officers are considered to have fulfilled their duty of care (also called the duty of diligence) if they meet these standards:

• Act in good faith and in a manner they reasonably believe to be in the corporation’s best interests, which may include shifting the board’s attention toward cyber liability loss exposures
• Discharge their responsibilities with informed judgment and a degree of care that a person in a similar position would believe to be reasonable under similar circumstances

Directors and officers also have the general duty of undivided loyalty to the corporations they serve. Accordingly, directors and officers cannot usurp business opportunities that properly belong to the corporation. For the same reason, directors and officers cannot own or operate businesses that compete with the corporation.

Further, directors and officers have the general duty to disclose material facts to all persons who have a right to know such facts and would not otherwise be able to obtain them. For example, directors and officers have a duty to make public disclosures of facts that are material, such as a data breach, to stockholders, bondholders, and potential investors in the securities of the corporation.

However, there are certain matters that directors and officers must keep confidential. Normally, directors are not authorized to act as spokespersons for their corporations.

In addition, directors and officers must refrain from discussing confidential or market-sensitive matters with others. Publicly discussing the corporation’s cyber security strategy can compromise the corporation’s cyber security.

Some authorities include a duty of obedience (that is, obedience to the law) in the list of duties of directors and officers. Directors and officers are required to perform their duties according to federal and state laws; for example, compliance with notification laws that mandate informing customers of a data breach is expected.

An established rule of law is that liability should rest ultimately on the party at fault. This rule applies in the insurance context.

Insurance producers bear the responsibility for any acts or omissions on their part that occur in the course of their insurance transactions. If any unreasonable conduct or breach of contract results in financial loss to any other party, the producer is responsible to that party for the full extent of the loss sustained. E&O insurance is the professional liability coverage designed to protect producers from these types of losses.

An error could occur and a loss sustained when placing cyber risk liability coverage because traditional insurance, with which a producer is most familiar, does not apply to emerging exposures such as cyber risk. Producers who are not on the leading edge of this emerging exposure may fail to recognize a coverage gap for a client’s exposure.

Risk Control in Cyber Risk Management

Cyber risk loss exposures permeate every facet of an organization's operations, rendering the consequences of a data breach potentially catastrophic. Therefore, risk control is essential to an organization’s incorporation of cyber risk in its enterprise risk management.

Specialized risk control techniques are usually necessary for an organization to control cyber risk loss exposures involving property, net income, and liability. These risk control measures begin with an organization’s determining the scope of its cyber risk loss exposures, often with assistance from a risk management or security specialist.

A cyber risk security strategy should incorporate the organization’s business objectives and available budget and include an assessment of the appropriateness of the risk control measures for the loss exposures being addressed. Properly structured, a cyber risk security strategy can preserve an organization’s resources, reduce the severity of losses that do occur, and hasten the organization’s recovery from a cyber loss.

Risk control techniques aim to reduce either loss frequency or loss severity, or to make losses more predictable. They fall into six broad categories:

• Avoidance
• Loss prevention
• Loss reduction
• Separation
• Duplication
• Diversification
• Avoidance

Complete enterprise-wide avoidance of cyber risk is impossible. However, an organization can apply this risk management technique to circumstances in which it can isolate its internal or external stakeholders or its data infrastructure from elements that introduce cyber risk loss exposures:

Internal stakeholders—An organization can avoid cyber-related losses related to an employee’s behavior by preventing that employee from accessing its data-storage and data-transmission infrastructure. Similarly, it can configure its media to bar access to selected employees or institute production procedures that are insulated from that infrastructure.

For example, a group of employees responsible for creating an organization’s marketing materials may have access only to dedicated marketing-related data entry and storage devices unconnected to the organization’s internal data network or data-transmission media.

External stakeholders—Insulating its data infrastructure from external access also allows an organization to avoid cyber risk loss exposures. For example, if an organization has identified a particular geographic region as a likely source of a malware attack, it could configure its external data-communication network to refuse transmissions from that region.

Data-storage media—Cyber-related losses related to an organization’s data-storage media may be avoided if storage media are isolated from internal and external data networks and are inaccessible to personnel.

Loss Prevention

Organizations can reduce the frequency of cyber losses by instituting physical, procedural, and personnel controls:

Physical controls—Physical controls place barriers between cyber criminals and their targets. Organizations should provide basic physical protection, such as guards, locked doors, central security alarms, and automatic devices to detect intruders.

Additionally, organizations can physically limit access to its data infrastructure and can implement other administrative and managerial safeguards that control physical access to systems. Cyber criminals may use tactics to which data-storage and data-transmission media are particularly vulnerable, such as damaging them through the magnetic disruption and interruption of electrical power.

Therefore, surveillance should be used for highly sensitive areas where data is stored. Access to such areas should be controlled by requiring personnel to identify themselves with badges or through biometrics.

Procedural controls—Procedural controls specify that tasks be performed in secure ways that reduce losses. In terms of cyber risk, procedural controls apply to how an organization’s data infrastructure is protected.

Security policies should clearly state system-authorization requirements for use of the system, levels of system access, and system-response measures to unauthorized access. If appropriate safeguards are not in place, organizations may never notice clandestine intrusions that are designed to steal information.

Other intrusions that use malware are designed to deliberately and noticeably disrupt operations. Procedural controls that organizations use to thwart such attacks include passwords, antivirus applications and encryption for stored data and data in transit.

Additionally, an organization can specify monitoring procedures in its procedural controls to prevent inappropriate access or use of its data infrastructure. Procedural controls may also be designed for network updates to ensure that new programs are tested before they are used to process actual data, possibly preventing an errors and omissions liability claim.

Other procedures include establishment of a privacy policy and procedures for how, when, and under what terms an organization will allow material from other websites to appear on its own website. These policies and procedures could prevent claims for violation of privacy laws and for trademark or copyright infringement.

Personnel controls—The attitudes, performance, and behavior of employees can leave an organization exposed to a cyber attack, regardless of whether the resulting loss or damage was intended. Some employees are inadvertently the source of cyber losses—for example, employees who unwittingly introduce a virus to the organization’s data infrastructure.

Others deliberately commit cyber crimes, such as stealing intellectual property or committing identity theft. Disgruntled former employees with knowledge of or access to proprietary information are also potential sources of cyber-related losses.

Organizations can institute sound personnel controls to mitigate the cyber risk loss exposures presented by their employees. Personnel controls include such measures as pre-employment screening, training, outlining unacceptable cyber behavior with associated consequences, and termination procedures that include revoking access and passwords. Personnel controls can also extend to how the organization deals with its customers, suppliers, and neighbors.

Loss Reduction

Managerial controls reduce cyber-related loss by establishing an environment that prevents cyber losses or assists in their detection.

Such measures include centralizing responsibility for cyber security and ensuring that systems and procedures that have been adopted are monitored and followed to control-related loss exposures. This effort can include monitoring the cyber risk security plan and ensuring compliance with risk control measures, such as the creation and storage of backup files, and the segregation of responsibilities to prevent any individual from having control of the entire system or inappropriate system access.

Additionally, an organization should continually evaluate and revise its risk control measures. As quickly as risk control measures are instituted to combat cyber risk, the technology that cyber criminals use to overcome them evolves. Therefore, organizations must be prepared to update their techniques accordingly.

A post-data-breach rapid-recovery program aids in reducing the severity of an organization’s cyber-related losses and in restoring operational functionality as soon as possible. Implementing a rapid-recovery program focuses on the organization’s ability to preserve and sustain its operations in the event of a cyber-related loss. Contingency measures should be established to provide equipment, software, or any additional personnel that may be necessary to analyze, repair, cleanse, and restore lost or damaged data.

Also, plans should be developed to address the effects on suppliers and customers. A rapid-recovery program should also include a public relations component so that, if necessary, the organization’s public image, as well as customer and supplier relationships, can be preserved in the aftermath of a data breach.

Separation, Duplication, and Diversification

When an organization implements appropriate segregation of duties, no one person has both custody of an asset and access to the records concerning that asset. This separation restricts the ability of employees to steal an asset and then conceal the theft by altering the associated records. Managers and supervisors have greater access to and can more easily falsify records, but they have fewer opportunities to steal assets.

Additional risk control measures the organization can use as part of a post-data-breach rapid-recovery program include maintaining full backups of its data infrastructure at an alternate location. Additionally, all vital legal and technical documents, as well as copies of data-storage and data-transmission media, should be secured in a fire-resistive, off-site repository, such as those operated by specialized data-storage organizations.

Risk Financing: Retention in Cyber Risk Management

An organization that has not incorporated cyber risk in its enterprise risk management unwittingly treats some or all of its cyber risk loss exposures through retention. Such unplanned retention can have disastrous financial consequences if a data breach occurs, forcing the organization to absorb the costs associated with internal remediation and its liability to third parties. Planned retention, however, may be an effective means of financing certain kinds of cyber risk in some circumstances.

Planned retention is a deliberate assumption of loss exposures (and any consequential losses) that have been identified and analyzed. It is typically the most economical risk-financing alternative because of its associated cost savings. For example, if an organization’s investment in its cyber security infrastructure leads it to retain its cyber liability risk, then it can save money by avoiding the up-front payment of insurance premiums and the costs they include (such as administrative costs, premium taxes, and moral hazard costs).

Retention of cyber liability risk also allows an organization to control the claims process, giving it greater flexibility in the investigation and negotiation of claim settlements. This is ideal in situations in which an organization wishes to litigate cyber liability claims against it in order to preserve its reputation. (In contrast, an insurer may be more willing to settle such claims to reduce defense costs and therefore the payout required on its part.) Additionally, because retention’s effectiveness is correlated with loss avoidance, it encourages enterprise-wide risk control that maximizes the reduction of loss frequency and severity.

An organization’s decision to retain some or all of its cyber losses is informed by its assessment of their frequency and severity.

The frequency of losses is the number of losses that occur within a specified period. Severity relates to the amount of a loss, typically measured in monetary units, such as dollars. Severity can be used to describe the size of an individual loss or a group of losses.

Most large organizations experience numerous relatively small losses. For example, employees at large manufacturers may annually experience many minor injuries, with regular but insignificant financial effects on the organizations.

Conversely, an organization may suffer a catastrophic loss, such as a large fire or a plant explosion, on an infrequent basis. Between these two loss extremes are medium-size losses that may or may not occur regularly.

The general relationships among losses with different frequency-severity characteristics can be illustrated with a triangle. The width of the triangle shows the relative frequency of losses at different severity levels. Usually, the more severe a loss, the lower its frequency.

A formal self-insurance plan requires an organization to have sufficient financial resources and risk tolerance to retain potentially significant losses.

Therefore, organizations with self-insurance plans for cyber risks usually embrace risk control techniques. These techniques may involve developing and maintaining a cyber security infrastructure that includes elements such as physical security measures, data encryption, the separation of data-storage media, duplication of data, and rapid-response data-breach recovery plans as part of the organization’s corporate culture.

In general, self-insurance is best applied to losses that are of both high frequency and low severity. Such losses are somewhat predictable in total over a defined time period, such as one year.

Most cyber losses do not fall into this category, as even relatively minor cyber losses (such as an employee’s misplacement of a single digital-storage device on which customer records were copied) can have serious financial consequences. These consequences can be related to the organization’s duty to inform customers of the loss of their personal data as well as to its need to take potential regulatory action. Additionally, most cyber losses are typically low frequency and therefore relatively unpredictable.

Organizations that are willing to retain a significant share of their own losses in exchange for greater flexibility often employ a specialized form of self-insurance by forming a captive insurer, or captive, to address their risk-financing needs. Most captive insurers purchase reinsurance, usually on an excess of loss basis, to transfer some of their loss exposures to another insurer. Reinsurance provides a captive insurer with many benefits, including the ability to cover large losses, such as those stemming from regulatory action related to a data breach.

A significant advantage of a captive insurance plan is that the parent organization can obtain insurance coverage that is not available from commercial insurers. This is especially valuable in the cyber risk realm, where new threats emerge as quickly as technology evolves and in which an organization’s financial liability for a data breach or cyber extortion incident can be substantial. To obtain these kinds of coverage, the parent pays a premium to its captive, which then issues an appropriate insurance policy.

For example, one specific form of captive insurer, a risk retention group, is a widely used means of obtaining liability coverage for individuals and/or organizations in the same industry. Traditionally, risk retention groups have been formed by professionals for whom liability insurance is either unavailable or prohibitively expensive, such as medical doctors. However, organizations in the same industry can form a risk retention group to obtain cyber liability coverage that is less expensive and more expansive than the coverage available on the open market.

A major advantage of a risk retention group is that it needs to be licensed in only one state in order to provide liability coverage to group members anywhere in the United States. The Liability Risk Retention Act of 1986 supersedes state law that requires an insurer to be licensed in every state in which it sells insurance, thereby saving the risk retention group the expense of complying with regulations in each of the fifty states.

Risk Financing: Transfer in Cyber Risk Management

A sound defense against the potentially catastrophic consequences of data breaches is founded in enterprise risk management. Risk control enables an organization to partially mitigate cyber risks, while an organization can transfer the financial consequences of cyber risk loss exposures that risk control may not fully address.

Insurance is the most prevalent form of cyber risk transfer, through either traditional property and liability coverages—such as those that insurers offer using forms developed by Insurance Services Office, Inc. (ISO)—or specialized cyber risk products. Organizations also may use noninsurance risk transfer methods to manage cyber risk.

Traditional Insurance Coverage

An organization may be able to insure some of its first-party cyber risk loss exposures under policies such as these:

ISO Building and Personal Property Coverage Form (also referred to as the BPP)

The BPP’s Electronic Data additional coverage pays for the cost to replace or restore electronic data destroyed or corrupted by a covered cause of loss, including a virus or harmful code.

ISO Business Income (and Extra Expense) Coverage Form

The Interruption of Computer Operations additional coverage covers loss of business income or extra expense due to a suspension of operations resulting from an interruption of computer operations. The interruption of computer operations must be caused by destruction or corruption of electronic data as a result of a covered cause of loss.

ISO Businessowners Coverage Form (BOP)

The BOP’s Computer Fraud and Funds Transfer Fraud endorsement covers the damage to money, securities, and other property directly related to the use of any computer to transfer funds fraudulently or from fraudulent instruction to transfer funds.

ISO Commercial Crime Coverage Form

The Destruction of Electronic Data or Computer Programs endorsement to this form covers the costs to restore or replace electronic data or computer programs stored in the insured’s computer system if such property is damaged or destroyed by a computer virus or by vandalism committed by a person who has gained unauthorized access to the insured’s computer system.

These policies may offer coverage for third-party cyber risk loss exposures:

• ISO Commercial General Liability (CGL) Coverage Form—Liability loss exposures for electronic data are excluded under the CGL. However, some coverage may be added back by the Electronic Data Liability Endorsement. This endorsement applies only to electronic data losses that result from physical injury to tangible property.
• ISO Electronic Data Liability (EDL) Coverage Form—This form provides broader coverage for an insured’s liability for loss of electronic data caused by an “electronic data incident.”

Cyber Risk Insurance Coverage

Cyber risk insurance emerged as a specialized product category in response to demands from organizations with heightened cyber risk loss exposures, as well as from insurers and producers, to address coverage shortcomings presented by standard commercial property and liability insurance policies. Insurers offer a variety of cyber risk insurance policies whose coverage elements can be tailored to the specific needs of technology-based organizations.

The specific provisions of cyber risk insurance policies differ by insurer. Insurers typically offer policies containing first-party-only coverage (property and theft), third-party-only coverage (liability), or both in a combination policy format. Combination policies in particular allow insurers and organizations to match desired coverage with cyber risk loss exposures.

Insuring agreements related to first-party coverages commonly found in cyber risk insurance policies fall into these categories:

• Cyber extortion
• Cyber crime
• Business interruption
• Terrorism
• Notification or remediation
• Electronic data protection

Insuring agreements related to third-party coverages commonly found in cyber risk insurance policies fall into these categories:

• Electronic media liability
• Network security liability
• Privacy liability
• Technology errors and omissions liability
• Intellectual property liability

Cyber risk insurance policies are usually subject to a claims-made coverage trigger (as opposed to an occurrence coverage trigger). Claims-made coverage triggers are specified in the policy’s insuring agreement and can include any claim made during the policy period. A claim is typically made when the insured first becomes aware of facts that could cause a reasonable person to assume that a loss of a type covered by the policy has occurred. As is typical with claims-made policies, coverage is usually available for prior acts, subject to a retroactive date, found either in the base form or added by endorsement.

Some insurers that provide policies focused more on media liability, intellectual property, and technology-related coverages may offer forms with an occurrence coverage trigger. Occurrence coverage triggers are also specified in the insuring agreements and can include any covered event that occurs during the policy period, such as liability arising out of website content errors and omissions or out of trademark infringement liability.

Several types of insurance limits are available for cyber risk policies. The structure and application of limits offered typically depend on whether the policy has an annual aggregate limit of insurance (also referred to as a policy aggregate limit, or simply an annual aggregate). If a cyber risk policy does not have a policy annual aggregate (as is usually the case with package or modular policies), the insuring agreements work independently, each with its own limit of insurance.

Policy retentions and/or deductibles apply to each insuring agreement, per loss, and are often packaged with specific limits, particularly if the cyber risk policy is modular. Defense expenses are payable within the policy limits, thereby reducing the limit of insurance. Some insurers may offer a blanket limit applicable to separate insuring agreements, which is helpful to an insured that is uncertain as to where the organization’s maximum possible cyber risk loss exposure may lie.

Noninsurance Risk Transfer

Organizations can also use non-insurance risk transfers as a means of cyber risk financing:

A hold-harmless agreement is a type of non-insurance measure that organizations can use to receive reimbursement for cyber risk losses or to transfer their cyber risk loss exposures. For example, an organization could insist that a vendor operating its web server promise to indemnify the organization for sales if the server were to malfunction.

In addition to using hold-harmless agreements, many software firms use liability disclaimers. While disclaimers are not technically considered a non-insurance risk transfer technique, organizations employ them to limit the scope of their liability. For example, organizations that collect their customers’ personal information can use disclaimers and disclosure statements to inform customers of how they may use their personal information and the extent of the organization’s liability should the information be illegally disclosed.

Hedging is also considered a non-insurance risk-transfer technique. It is practical when it is used to offset loss exposures to which one is naturally, voluntarily, or inevitably exposed. An organization can use hedging techniques to offset cyber risks present in its supply chain. For example, an organization that uses a third party to facilitate its transmission and receipt of data faces the loss exposure of bandwidth price variability. To offset this loss exposure, the organization might enter into a futures contract to purchase a fixed volume of bandwidth capacity over the coming year at a pre-agreed price. (A futures contract is an agreement to buy or sell a commodity or security at a future date at a price that is fixed at the time of the agreement.) If the market price of bandwidth capacity increases over the next year, the organization will save money by buying it below the prevailing price. If the market price drops, the organization will pay more than the prevailing price. Either way, the organization’s loss exposure is reduced because the cost variability is eliminated.

Producers must obtain a lot of information from a client to complete a typical cyber risk insurance application. In response to applicant complaints that the application is too lengthy and difficult to complete, some insurers have developed short-form applications, requesting financial and industry classification information. Some short-form applications ask basic questions about an organization’s current security and risk management procedures. An underwriter can use this information to develop a reasonably accurate quote for cyber risk coverage, without the need to quote various limits and deductibles. However, if a client decides to purchase the coverage, a detailed, long-form application must be completed. To add benefit for the applicant, some insurers include cyber risk management guidelines in the application form.

The task of completing a detailed application form can be managed by appropriate personnel from throughout the organization. A list of application sections and the personnel with the applicable information could include these:

• General information, policy limits and retentions, and known data losses should be supplied by the client’s risk manager or financial officer.
• Technological details such as network security, firewalls, intrusion detection, patch management, data encryption, data backup procedures, and similar information should be supplied by IT officers.
• Details regarding securing data on mobile devices (encryption), procedures for handling confidential paper files, and security and privacy training for staff should be supplied by privacy officers.
• Details about disaster recovery plans, incident responses, employee agreements, and discipline procedures should be supplied by human resources staff.
• Information regarding the acquisition and use of website content and social media postings should be supplied by marketing officers.
• Information about contracts with service providers that offer data backup or storage, web hosting, software design, and so forth should be supplied by the organization’s legal counsel.

An organization may want to implement other aspects of an ERM program before applying for cyber insurance coverage. Doing so would make the application more attractive to a prospective insurer. This could influence an underwriter’s acceptance of the risk and qualify the organization for a premium reduction.

Cyber Risk Issues for Agents and Brokers

Nearly all organizations are subject to cyber risk. As technology evolves, cyber criminals find new ways to breach organizations’ information systems, and the costs to organizations to mitigate the damage can be tremendous.

News headlines of the damages from cyber breaches encourage agents’ and brokers’ (referred to as producers throughout) clients to plan for the threat of a cyber breach. Producers can assist clients with cyber risk planning advice, which can be incorporated into their enterprise risk management (ERM) programs. When it is appropriate for a client to transfer some cyber risk, producers can recommend cyber insurance coverage that fills the gaps. A producer can suggest these cyber-related enhancements to a client's risk management plan:

• ERM security measures and procedures to minimize cyber risk
• A manageable retention amount for some cyber risk
• Forms of cyber risk that may be transferred to insurers
• Ongoing risk management measures that reduce insurance premiums and help manage uninsurable risk
• Measures to mitigate damage when a cyber breach occurs

Producers that sell cyber insurance should prepare to address a variety of customer perceptions about and objections to buying cyber risk coverage and should prepare to help customers navigate a cyber insurance application.

A producer should be able to get a good estimate of the appropriate cyber coverage and its cost from an experienced underwriter based on a review of the organization's revenue data and its website.

Perceptions about excessive premiums, insufficient cyber coverage options, and policies with multiple limits and deductibles make selling cyber risk insurance challenging.

With appropriate knowledge, a producer can counter most of a client’s objections to developing a cyber risk management plan. Some commercial insurance policies offer limited cyber coverage. By explaining the extent of existing coverages, suggesting procedures that reduce the risk, and suggesting additional cyber insurance products when appropriate, producers can ensure that their clients' cyber treatment is adequate.

Producers have a professional duty to keep current on trends and regulatory issues related to cyber crime and privacy. They can use this knowledge to adopt an unofficial risk manager role for their small- and mid-size clients. Offering this service can encourage clients to establish security measures and purchase cyber coverages for the threats that are targeted at their types of businesses. Producers can also use this knowledge to offer a cost-benefit analysis to their clients about the ERM programs they recommend.

Producers can help clients recognize and prepare to manage the costs of any cyber breach by using terminology and scenarios that their clients can understand and relate to, such as these:

• Your employee inadvertently forwards an email message containing client personally identifying information (PII)—Government regulations require notification to any customer whose PII may have been breached. In addition to the costs of the notification, your company is liable for any damages suffered by affected customers and any related defense costs. The reputational damage could be extensive. Offering free credit monitoring for a year to affected customers would be worth the cost.
• Your disgruntled employee becomes a spy for your competitor and gives it your client lists, business secrets, and strategic plans—In addition to the costs incurred in the email case, you could lose a competitive advantage, a cost that is hard to predict. You would have human resource costs to fire and replace the problem employee and any manager(s) who should have noticed the breach. In addition, management will have to redesign their organizational strategy and plans.
• A disgruntled customer uses social media to invoke a cyber attack against your manufacturing company that overloads and shuts down your network, halting network communications with your suppliers, distributors, service providers, and customers—The business interruption costs could be significant, along with the costs to restore your network and any lost data, the costs to investigate the attack, and any legal costs to recoup damages. Your organization could suffer reputational damage, causing loss of suppliers and distributors, loss of service contracts, loss of customers whose orders were lost or delayed, and the loss of potential customers influenced by negative word of mouth.

The costs incurred in these breaches must be managed, and a producer’s recommendations for managing them can position a small- to mid-size organization to withstand a cyber breach without filing for bankruptcy.

Many organizations believe that they will never suffer from a cyber breach. Cyber breaches that make the news involve large corporations. A producer can point out that many smaller companies also suffer from cyber breaches. Cyber experts advise that companies should ask when, not if, a data breach will occur. Organizations should prepare for a breach through various risk management techniques.

Typically, an organization's information technology (IT) department assumes responsibility for data protection and assures upper management that their systems are secure. However, cyber breaches have occurred even in highly secured environments. To stress the need for cyber insurance despite system security, a producer might use an analogy to explain the need for a cyber risk plan.

Chief financial officers (CFOs) and chief executive officers (CEOs) are often involved in cyber insurance purchasing decisions. Many executives find it difficult to discuss cyber risk with their IT staff to determine whether they need coverage. Senior management may be stymied by IT jargon or by the complexity of computer systems. A producer should use common terminology to explain a computer network and may want to use a simple diagram that depicts the vulnerable points in a single user’s network where security could be breached.

Completing an application for cyber insurance can be a lengthy and tedious process because information is needed from many departments across an organization. To remove the client’s burden of completing a long application just to get a quote, an experienced underwriter could offer a good estimate of the appropriate coverage and its cost based on the client’s revenue data and a review of the organization’s website. This estimate can assist the client in deciding whether to purchase coverage, and if so, which coverage. If the client is satisfied with the estimate, the completed application will still be required for the coverage to take effect. If a client requests a quote, then the producer must be certain to follow through. Failure to do so could result in an errors and omissions (E&O) claim.

While helping organizations identify their cyber risk needs, producers must recognize their own potential for E&O liability.

Producers can advise clients that the way to best complete a cyber insurance application is for various personnel to complete applicable sections, including the risk manager or financial officer, information technology officers, privacy officers, human resources staff, marketing officer, and legal counsel

Many large organizations recognize their need for cyber coverage and loss mitigation, but small- and mid-size organizations may not be as prepared to manage their cyber risks. Their data can be more vulnerable than the data of larger organizations that have taken extra precautions. Knowledge about cyber risk, cyber coverages, data privacy requirements, and data protection regulations can enable producers to assist clients in examining and securing their cyber risks.

A producer might ask a small- or mid-size organization whether it stores clients’ or employees’ PII in its computer system. Because most organizations have employees’ PII, the producer could mention the ramifications if that data became public, perhaps because a disgruntled employee released the information. The producer could mention various government regulations geared to protect PII and the fines and other penalties that could apply if customer or employee PII is exposed, such as through an employee's oversight.

A producer may recommend that a client enlist the services of a cyber risk consultant to identify and address vulnerabilities in the client's system. The cost of these services would be much less than the financial and reputational costs of a cyber breach. Before presenting coverage options to the client, the producer might also enlist the help of a cyber expert to assess the client’s vulnerabilities.

Gray areas, where the client’s cyber coverage may be questionable, require special attention. Cyber insurance includes first-party property coverage to protect the insured’s business personal property and third-party liability coverage. Cyber products may include business interruption (for the time needed to recover from a data breach) and credit monitoring for customers exposed to a PII data breach. Some cyber policies include technology E&O coverage for organizations that provide software products or services to their clients. The producer must make certain that the coverages considered are appropriate for and address all of a client’s cyber risk exposures.

For example, a pharmacy client that accepts credit and debit cards and manages PII, along with protected health information (PHI), may need a cyber policy (or policies) tailored to those needs. An appropriate policy might include liability coverage for data/privacy breach (for PII and PHI), pharmacists’ E&O coverage, business interruption coverage, and credit monitoring reimbursement. In contrast, a client that provides and maintains software for its clothing retail customers may need technology E&O coverage in its cyber plan, along with PII data breach, business interruption, and credit monitoring reimbursement.

A knowledgeable producer can provide a policy for a small- to mid-sized organization that offers pre-loss risk management advice, loss control services, crisis management and mitigation services, IT forensics investigation, and legal services. Such a package provides one-stop service for smaller organizations that otherwise might not develop these resources.

Producers that sell cyber insurance are subject to various E&O exposures, including those that affect their clients, insurers, and own business operations.

Because of the prevalence of data breaches, producers are responsible for informing their clients that only limited cyber risk coverage is included in their traditional policies. Failure to inform a client of a cyber coverage gap can expose the producer to an E&O claim if a cyber coverage claim is denied.

Producers enter into contracts with insurers, agreeing to place coverage for their clients and assist in handling claims. If a producer leads a client to believe that the insurer will pay a cyber risk claim, even though he or she knows that the insurer will deny it, the producer could be exposed to an E&O claim from the client.

Producers are responsible for maintaining security for clients’ PII that is maintained in the producers’ computer systems. A producer whose customer data is breached in a cyber attack may be exposed to an E&O claim by the customer. A wise producer follows the same ERM procedures that it recommends to its clients and, by doing so, can avoid these E&O claims.

Insurance for Cyber Risk Exposures

The pervasive nature of cyber risks makes it essential for an insurance professional to know where coverage for these exposures exists in both traditional policies and specialized cyber risk insurance products.

Traditional policies continue to serve a valuable purpose of protecting insureds from conventional property and liability causes of loss. However, cyber risk exposures increase an organization’s vulnerability. One risk management solution to address this vulnerability is risk transfer via cyber risk insurance.

Fundamental concepts that explain why it is necessary and how to combine cyber risk insurance with traditional policies include these:

• The nature of first- and third-party exposures
• Cyber touchpoints in traditional policies
• Coverages needed
• The need for specialized cyber risk insurance products
• Considerations for buying cyber insurance

The first party is the organization that may or may not have purchased insurance from an insurer—the second party. The first party’s database contains its customers’ private information.

For the sake of this discussion, these customers are the third parties. Any other person or organization can be a third party that might assert a claim against the first party.

With cyber risk, first-party exposures are expenses the first party may incur to prevent or mitigate a loss resulting from, for example, a breach of its database. Some of the first-party expenses that can be incurred are costs to perform a forensic study, notify customers of a breach, monitor customers’ credit, repair reputational damage, and reconstruct lost or corrupted data.

Third-party exposures are associated with possible causes of action (claims) that customers or other stakeholders could assert against the first party for not preventing the cyber incident. Third-party exposures involve the third party holding the first party liable for any damages that were incurred as a result of the breach. Damages may include attorneys’ fees, court costs, and payment of a settlement or judgment.

Cyber Touchpoints in Traditional Policies

Traditional policies that are frequently requested to provide coverage for a cyber loss include these:

• Building and Personal Property Coverage Form (BPP)
• Commercial General Liability Coverage Form (CGL)
• Business Income (and Extra Expense) Coverage Form
• Businessowners policy (BOP) : A package policy that combines most of the property and liability coverages needed by small and medium-size businesses.
• Crime insurance
• Directors and officers (D&O) liability insurance

Insurance that covers a corporation’s directors and officers against liability for their wrongful acts covered by the policy and also covers the sums that the insured corporation is required or permitted by law to pay to the directors and officers as indemnification.

These traditional policies provide commercial liability coverage, property coverage, or both coverages together as a package. Liability coverage protects an organization from third-party losses, and property coverage protects an organization from first-party losses.

Traditional policies generally do not provide substantial protection from a cyber loss for one or more of these reasons:

• The cyber loss is not a triggering event under a policy’s insuring agreement.
• The cyber loss is not included within the definition of a relevant policy term—for example, property damage is a term defined in a CGL policy as physical injury to tangible property. The definition further states that, for the purposes of this insurance, electronic data is not considered tangible property.
• The cyber loss is specifically excluded.
• The cyber loss is capped at a low limit.

Essentially, most traditional policies are not designed to cover first- or third-party cyber losses. Organizations instead rely on specialized cyber insurance products to cover cyber exposures.

In the market for cyber risk coverages, there is not a consistent standard for determining whether certain loss exposures are first party or third party. For the purposes of this course material, reputation mitigation and response to regulatory action are regarded as first-party loss exposures, even though some policies label them as third-party loss exposures.

While not all cyber coverages are required by every organization, third-party coverages that are often needed include these:

• Defense and payment of liability claims asserted by third parties for allowing a breach to occur
• Protection from allegations of intellectual property infringement in an insured’s online publications and other forms of media liability
• Breach of privacy liability if employees’ or customers’ private information is released to an unauthorized party

First-party coverages that are often needed include these:

• Forensic study to determine the scope of the breach
• Business income for loss of income when operations are temporarily shut down
• Reputation mitigation, such as damage control through public relations and education of customers
• Response to regulatory action, such as investigation into whether the organization implemented the minimum required cyber security measures and sent both adequate and timely notification as well as potential fines or penalties assessed
• Restoration of data that was lost as a result of cyber attack

The Need for Specialized Cyber Risk Insurance Products

A mid-size or smaller organization may not have the capital to pay the costs incurred to resolve a cyber loss if its risk management strategy fails to prevent or fully mitigate a cyber breach. Such a cyber loss could bankrupt an organization and therefore emphasizes the need to transfer cyber risks to an insurer that offers specialized cyber risk insurance products.

These are examples of loss exposures that could be covered with such products:

• Business interruption, including possible contingent exposures resulting from an insured’s suppliers
• Identity theft of customers whose confidential information may have been stolen
• Reputational damage to the insured
• Third-party liability claims from customers alleging the organization failed to prevent unauthorized disclosure of their private information

An insured's risk manager should assess the organization's cyber exposures and estimate the frequency and severity of each exposure because the risk manager needs to establish the necessary limits of coverage.

Buying cyber insurance differs from buying other insurance, such as a personal auto policy, in which the policy is usually written on a standard form and the loss exposures each driver faces are substantially similar. Frequently, the primary consideration of an auto insurance buyer is price.

Considerations for buying cyber insurance are substantially more extensive and often prompt these activities on the part of the organization:

• Identify and assess the organization’s cyber risks. Not all available cyber coverages may be needed.
• Determine what cyber coverage, if any, is provided by policies the organization already has in place.
• Assess the organization’s cyber exposures and estimate the frequency and severity of each exposure to establish the necessary limits of coverage.
• Carefully review the language used in exclusions, which may have been cut and pasted from another policy and inappropriate for a cyber policy.
• Consider coverage that becomes effective retroactively, because data breaches can remain undetected for an extended period of time.
• If the organization outsources data processing to a vendor, determine whether liability coverage for errors made by the vendor should be purchased.
• Review the premium amount to insure restoring data, because the restoration cost is often prohibitive without insurance.
• Seek input from the organization’s information technology, risk management, and finance representatives.
• Use the insurer's risk management services.
• Coordinate cyber insurance coverage with indemnity agreements.
• Determine whether it is worth the additional premium to cover loss of data from unencrypted devices.
• Determine whether it is worth the additional premium to cover governmental fines.

Common Policy Formats

An insurance professional should understand common policy formats in order to properly structure commercial insurance coverage for insureds.

A basic distinction in the format of a commercial insurance policy is whether the policy is a multiline policy or a monoline policy. Another basic distinction is whether the policy is a standard form or a nonstandard form. Beyond these basic distinctions, three common formats for commercial insurance policies are the commercial package policy, the businessowners policy, and the output policy.

Insurance professionals commonly use the phrase “line of business,” or simply “line,” to refer to a specific type of insurance. This usage has resulted in the common insurance terms “multiline policy” (a policy covering two or more lines of business) and “monoline policy” (a policy covering only one line of business).

The phrases used to denote different lines—such as “commercial crime” and “commercial inland marine”—vary by insurer, but often follow the terminology used by either of two insurance advisory organizations: Insurance Services Office, Inc. (ISO), and the American Association of Insurance Services (AAIS).

Both of these organizations develop insurance forms for use by their member insurers and provide many related services. Most organizations are insured under a multiline policy (also referred to as a package policy) for most of their property and liability loss exposures but may also have one or more monoline policies for coverages that cannot be included in their multiline policies.

For example, many organizations purchase specialty coverages, such as flood insurance, in monoline policies because such coverages can sometimes be obtained only from an insurer other than the one writing the multiline policy.

Although many insurers use the standard forms developed by ISO, AAIS, or other insurance advisory organizations, some insurers develop their own forms either because they want to write a type of insurance for which no standard form is available or because they want to differentiate their products from the standard forms.

Additionally, large insurance brokerages have developed their own insurance forms, referred to as “manuscript forms” 1 or “broker forms,” using provisions that are more favorable to insureds than the provisions in standard forms. Generally, insurers accept broker forms only for the largest accounts.

In contrast with ISO or AAIS standard forms, insurers’ or brokers’ independently developed forms are often referred to as “nonstandard forms.” One of the benefits of studying standard forms is that they serve as benchmarks for analysis of comparable nonstandard forms, enabling one to spot important differences from the standard forms.

A commercial package policy (CPP) is a multiline policy composed of two or more coverage parts, each coverage part providing a separate line of insurance.

Under ISO Commercial Lines Manual ( CLM) policywriting rules, widely used by insurers, one of the coverage parts of a CPP must cover buildings and/or business personal property, and another must cover commercial general liability. Other coverage parts for property and liability lines can be added. Examples of additional property coverage parts are commercial crime, commercial inland marine, and equipment breakdown.

Each coverage part consists of these components:

• One or more declarations forms (containing information about the insured and the particular loss exposures insured)
• One or more coverage forms (containing most of the essential terms of coverage)
• For some lines of insurance, a general conditions form
• Any applicable endorsements (modifying the terms of the coverage form or general conditions form)
• Except Exclusions

In addition to coverage parts, a CPP also contains a “common declarations form” for the entire policy and the Common Policy Conditions form. In many cases, insurers combine the common declarations form with the separate declarations forms that apply to the individual coverage parts.

The exhibit shows the coverage parts and forms that might be included in a particular CPP. An insurer can write a monoline commercial insurance policy (such as a monoline equipment breakdown policy) by combining the selected coverage part with common declarations and the Common Policy Conditions.

For an insured who owns a large business is comparing the different types of commercial insurance policies. The insured chooses a Commercial Package Policy as it will provide the option to add lines of insurance for all coverages that are needed.

Components of a Sample Commercial Package Policy

Many small and midsize businesses have similar and relatively uncomplicated insurance needs. Insurers therefore offer policies specially designed for such insureds as an economical alternative to regular commercial package policies.

Such policies are known generically as “businessowners policies,” although many insurers use proprietary names to establish brand identity. A business owners policy, or BOP, is a multiline policy that includes most of the property and liability coverages needed by small and midsize businesses.

Businessowners policies typically provide building and business personal property coverage, business income and extra expense coverage, and the equivalent of commercial general liability coverage. Other coverages are either included automatically or available as options.

Businessowners policies resemble homeowners policies in the way they package standard coverages and in their simplified rating procedures. BOPs have a broad-based public appeal because of an economical packaging of the types of coverages that are most needed by a wide variety of small to mid-size businesses. At the same time, BOPs provide insurers and producers with a highly competitive product that is highly automated with streamlined underwriting.

The first businessowners policies were independently developed by individual insurers. ISO introduced a standardized businessowners program in 1976 and has revised it several times.

AAIS also offers a businessowners program as well as its Artisans Program, which uses a businessowners-type policy tailored to meet the specific coverage needs of eligible contractors. Many insurers, including the market leaders for this line, use independently developed BOP forms. Some insurers have developed specialized BOP forms for specific classes of business, such as contractors, printers, or places of worship.

Underwriting BOP

For many insurers, underwriting BOPs differs from underwriting most other commercial lines. The standardized nature of BOP coverage and the need to control costs to remain competitive have led to the extensive use of computers for underwriting and processing BOPs. Many insurers also use predictive modeling to assess and price BOPs. The policies are generally underwritten in a manner that resembles the underwriting of homeowners coverage as opposed to other commercial lines.

The coverages in an output policy might include buildings and business personal property, business income and extra expense, crime, inland marine, and equipment breakdown. In a CPP, each of these coverages would have to be provided by a separate coverage part or coverage form. Thus, an output policy uses a more seamless approach in providing commercial property insurance.

Also, output policies often provide property coverage enhancements not contained in the standard forms used in CPPs, particularly broad coverage for property while away from the insured’s premises, whether in the course of transit or at a location not described in the policy.

Eligibility for output policies includes most types of commercial organizations, and specialized output policies have been created for certain market segments such as agribusinesses and developers.

Output policies are generally used only for midsize and larger businesses. The CPP, the BOP, and the output policy, although different in their formatting, are composed of similar policy provisions. Policy provisions can be categorized as declarations, definitions, insuring agreements, exclusions, miscellaneous provisions, and conditions. A policy condition is any insurance policy provision that qualifies an otherwise enforceable promise of the insurer.

Of the various types of policy provisions, conditions are the least likely to vary among different types of commercial property policies.

Cyber Risks and the ISO Building and Personal Property Coverage Form

Organizations may purchase traditional commercial property coverages, such as those that insurers offer through forms developed by Insurance Services Office, Inc. (ISO), as part of an enterprise risk management approach to mitigating cyber risks. However, the limited cyber coverage provided by such policies may be inadequate for most organizations.

The ISO Building and Personal Property Coverage Form, also referred to as the BPP, and similar traditional commercial property policies are often used to insure buildings, the insured’s business personal property, and the personal property of others. The insured can buy coverage for any combination of these three categories. However, the BPP and similar commercial property forms exclude coverage for certain types of structures, such as bridges, and certain types of business personal property, such as money and securities.

The BPP’s causes of loss forms work in conjunction with policy provisions to delineate the specific coverage it provides. The Causes of Loss—Basic Form and the Causes of Loss—Broad Form are specified-perils forms, which means that they have a list of covered causes of loss as well as a list of exclusions. The Causes of Loss—Special Form insures against direct physical loss unless the loss results from a specifically excluded or limited cause of loss.

These causes of loss forms combine with general policy provisions to describe the BPP’s coverage. They then refine that description through a series of limitations and exclusions.

Some of these provisions, limitations, and exclusions apply to property such as data and data storage/transmission media and to first-party cyber risk loss exposures, though additional coverage may be available to augment the BPP’s limited coverage for cyber risks.

The BPP’s Property Not Covered section lists several classes of property or kinds of property losses that do not qualify as covered property. Therefore, its Covered Property section and Property Not Covered section must be read together when determining whether a specific kind of property is insured. Some kinds of property are excluded because they can be insured more advantageously under other forms.

The BPP excludes coverage for all electronic data (defined broadly to include information, facts, or computer programs used with electronically controlled equipment), subject to two exceptions:

• Stock of prepackaged software
• Data covered under the Electronic Data additional coverage

These items are also covered up to the regular policy limits as shown on the declarations and not subject to the lower limit of liability applicable to the Electronic Data additional coverage.

The BPP includes an Additional Coverages section that provides insurance for certain consequences of property losses that would not otherwise be covered.

One such additional coverage, Electronic Data additional coverage, provides nominal coverage for the cost to replace or restore electronic data that is destroyed or corrupted by a covered loss, including loss from a virus or harmful code.

However, this additional coverage is subject to a limit that is too low to provide meaningful coverage for most organizations and is the most that the insurer will pay per policy year, regardless of the number of occurrences or locations covered. All electronic-data damage is deemed to have been sustained in the policy year that an occurrence began, even if the damage continues or results in additional loss or damage in a subsequent policy year.

By contrast, the American Association of Insurance Services’ Commercial Output Program (COP) additional coverages provide wider coverage and larger limits for causes of loss such as loss caused by computer hacking and loss caused by computer virus. Additionally, it covers programs, applications, and proprietary programs. They also address loss of income related to a data breach.

Cyber risk loss exposures traditionally have posed coverage problems for insurers because coverage under the BPP and similar property policies is generally limited to physical loss or damage to the insured property.

Many insurers have questioned whether the erasure of computer files or their deliberate corruption by third parties constitutes physical damage within the meaning of the BPP.

The BPP and similar commercial property forms consequently provide only limited coverage for cyber events that may have significant financial consequences for an organization. While these forms may provide coverage to repair or replace computer hardware that is damaged or destroyed by a covered cause of loss, they are not likely to provide the limits necessary to restore a business to its pre-cyber-loss condition.

Examples of cyber losses generally not covered under most first-party commercial property forms include these:

• Ransom costs related to cyber extortion
• Business interruption and extra expense, including possible contingent exposures resulting from an insured's suppliers
• Expenses an insured incurs, such as providing credit score monitoring for customers whose credit data may have been compromised
• Costs related to remediation of any damage that may have been done to the reputation of the insured
• The cost to replace or restore information on valuable papers and records, including those that exist as electronic data

Expenses such as providing credit score monitoring for customers whose credit data may have been compromised is generally not covered under most first-party commercial property forms.

The stock of prepackaged software is covered by the Insurance Services Office, Inc., Building and Personal Property Coverage Form.

The Electronic Data additional coverage section of the Insurance Services Office, Inc., Building and Personal Property Coverage Form does not extend to the named insured's electronic data that is integrated in and operates or controls the building's elevator, lighting, security, and climate control system because these items are covered up to the regular policy limits as shown on the declarations. 

Legal Liability: Torts, Contracts, and Statutes

Every person and all organizations are exposed to liability loss. The possibility of a liability loss is a liability loss exposure. To be able to identify, analyze, and properly handle an organization’s liability loss exposures, one must understand the concept of legal liability and the common sources of liability loss exposures.

Legal liability can be imposed by civil law, criminal law, or both. Legal liability imposed by civil law can be based on torts, contracts, or statutes.

Liability insurance responds to liability imposed by civil law. Insurance for criminal liability is prohibited by law but only for Civil Liability.

In some instances, a single act can constitute both a civil wrong and a crime. For example, if a driver causes the death of a pedestrian, law enforcement authorities may charge the driver with vehicular homicide, a criminal act. The driver may also be subject to a civil action by the estate of the deceased pedestrian for medical bills, funeral expenses, loss of support, and other damages that the law allows. Insurance coverage would not respond to the criminal charges. It could, however, provide payment for the civil claims.

A liability insurance policy typically obligates the insurer to defend the insured against allegations that, if true, would be covered under the policy. Even if the claimant's allegations turn out to be false or fraudulent, the insurer is ordinarily obligated to pay the costs of defending against the claim. In addition, a liability policy contains the insurer's promise to pay damages for which the insured is legally liable and that are covered by the policy. In most liability claims in which the insurer believes that its insured is legally liable, the insurer attempts to settle the claim (by offering to pay a certain amount of damages to the claimant) in order to avoid the additional expense of a trial.

Legal Liability Based on Torts

Torts may be civil wrongs or private wrongs. Most of the claims covered by liability insurance are based on tort law, which protects the rights of individuals. These rights originally included the rights to security of person, property, and reputation. Over the years, legal changes have established other rights of individuals, such as the right to privacy. Where a right exists, others have a corresponding duty to respect it and to refrain from any act or omission that would impair or damage it. Any wrongful invasion of legally protected rights entitles the injured party to bring an action against the wrongdoer for damages.

Underwriting Tip—Tort law varies by state. Liability underwriters should know tort law in general and the specifics of tort law in states in which they underwrite. To properly evaluate applicants for liability insurance, underwriters should also monitor related developments in state courts.

The numerous types of torts fall into three broad categories:

• Negligence
• Intentional torts
• Strict liability torts

Negligence is based on four elements:

• A duty owed to another person
• A breach of that duty
• A close causal connection between the negligent act (breach of duty) and the resulting harm
• The occurrence of actual loss or damage of a type recognized by law and measurable in monetary terms

For example, a motorist who drives at an unsafe and excessive speed and, as a result, causes an accident that injures another motorist has committed the tort of negligence.

A negligent act does not in and of itself qualify as the basis for a negligence tort. All four elements of negligence must be present. For example, a motorist who is driving at an unsafe speed and who narrowly misses another vehicle has not committed the tort of negligence, although the act is negligent. The motorist who is driving negligently may receive a ticket, but the motorist whose vehicle was narrowly missed does not have the basis for a tort of negligence because he or she did not experience actual loss or damage.

An intentional tort is a tort committed by a person who foresees (or should be able to foresee) that his or her act will harm another person. The act does not necessarily have to be performed with malicious or hostile intent. An example of an intentional tort is libel, the publication of a false statement that damages a person’s reputation.

Strict Liability (or absolute liability) is liability that is imposed even though the defendant acted neither negligently nor with intent to cause harm. Common examples of strict liability include liability for abnormally dangerous instrumentalities (such as wild animals), ultrahazardous activities (such as blasting), and dangerously defective products (such as malfunctioning smoke detectors).

Strict liability is also used to describe liability imposed by certain statutes, such as workers compensation laws.

Legal Liability Based on Contracts

In addition to torts, contracts also impose legal liability. If one party fails to honor the promise, the other may go to court to enforce the contract. Liability based on contracts can arise out of either a breach of contract or an agreement one party has made to assume the liability of another party.

Breach of contract is a failure to fulfill one’s contractual promise. A common type of breach of contract involves the promise (called a warranty) made by a seller regarding its product. If the product fails to fulfill its promise, the warranty has been breached, and the buyer can make claim against the seller. The warranty may be either expressly stated or implied by law. For example, the law implies a warranty that every product is fit for the particular purpose for which it is sold. If the product is unfit for its intended purpose and the buyer is injured as a result, the seller may be held legally liable for damages.

Liability for injury or damage resulting from a seller’s breach of warranty is commonly insurable. Other consequences of breach of contract are not insurable. For example, if a builder fails to complete a new store by the promised date, the store owner’s claim for loss of revenue is normally not insurable under the builder’s general liability insurance.

A hold-harmless agreement (or indemnity agreement) typically requires one party to “hold harmless and indemnify” the other party against liability arising from the activity or product that is the subject of the contract.

For example, a building’s lease may obligate the tenant to hold the landlord harmless against any liability claims made by any person injured on the leased premises. The tenant, in this case, is agreeing by contract to pay claims for which the tenant would not otherwise have been legally liable. Construction contracts and other types of agreements also often contain hold-harmless agreements. Contractual liability is liability assumed through a hold-harmless agreement and is commonly covered under liability insurance policies.

Because hold-harmless agreements are only subsidiary issues in negotiations of larger contracts, they often receive little attention from the contracting parties. This can be a problem for underwriters because once an injury occurs, a need arises to litigate the meaning of the accompanying hold-harmless agreement.

In addition to torts and contracts, statutes are a third major basis for imposing legal liability. A statute is a written law passed by a legislative body, at either the federal or state level. Written laws at the local level are usually referred to as ordinances. Statutes and ordinances can modify the duties that persons owe to others. Thus, the duties imposed by statute or ordinance may be used as evidence of a person’s duty of care in a tort action. A statute can also impose legal liability on certain persons or organizations regardless of whether they acted negligently, committed any tort, or assumed liability under a contract.

A statute can give certain persons or organizations an absolute legal obligation to compensate other persons if certain events occur. This type of obligation is a form of strict liability, like that previously discussed, except that it is based entirely on requirements imposed by statute rather than on tort law. An important example of liability imposed by statute is the workers compensation system, which requires employers to pay prescribed benefits for occupational injuries or illness of their employees. The employer must pay these benefits even if an employee’s injury or illness did not result from the employer’s negligence.

An employer's liability for occupational injuries and illnesses is based on statutory liability.

Cyber Risks and the ISO Commercial General Liability Coverage Form

Understanding the cyber risk coverage limitations of commercial general liability (CGL) policies is one of the initial steps in knowing which cyber risks need to be mitigated or insured by endorsement or a stand-alone cyber policy.

The most frequently used CGL forms are developed by Insurance Services Office, Inc. (ISO). In addition, the American Association of Insurance Services (AAIS) has developed CGL coverage forms, and some insurers use their own independently developed forms.

A CGL policy is the foundation on which to build liability protection. The first step in determining whether a specific cyber liability risk is covered by a CGL policy is to gain an understanding of how the policy is structured. Then, the insuring agreements, along with the policy definitions of the terms in the agreements, should be reviewed to determine whether the initial grant of coverage includes the exposure and, if so, whether any exclusions apply that negate or restrict the coverage.

Cyber Risks and the ISO Commercial General Liability Coverage Form

Understanding the cyber risk coverage limitations of commercial general liability (CGL) policies is one of the initial steps in knowing which cyber risks need to be mitigated or insured by endorsement or a stand-alone cyber policy.

The most frequently used CGL forms are developed by Insurance Services Office, Inc. (ISO). In addition, the American Association of Insurance Services (AAIS) has developed CGL coverage forms, and some insurers use their own independently developed forms.

A CGL policy is the foundation on which to build liability protection. The first step in determining whether a specific cyber liability risk is covered by a CGL policy is to gain an understanding of how the policy is structured. Then, the insuring agreements, along with the policy definitions of the terms in the agreements, should be reviewed to determine whether the initial grant of coverage includes the exposure and, if so, whether any exclusions apply that negate or restrict the coverage.

CGL policies are purchased by all types of business owners who want to transfer their risks from a broad range of liability loss exposures.

Included in that range of exposures are claims of liability for bodily injury, property damage, and personal and advertising injury, as defined in the policy. The coverages in the ISO CGL are broken into Coverage A and Coverage B.

Coverage A protects insureds from liability claims alleging bodily injury and property damage. Coverage B protects insureds from liability claims alleging personal and advertising injury.

In Coverage A, the CGL policy starts with a substantial grant of coverage made in the insuring agreement. The agreement explains that the insurer will pay on behalf of the insured what it is determined that the insured is legally obligated to pay as damages because of bodily injury or property damage (for events to which the insurance applies). The insuring agreement in Coverage B also provides a substantial grant of coverage for personal and advertising injury.

The terms in the insuring agreements that are defined in the policy must be examined to ensure the definitions are broad enough to include the types of claims the insured wants to transfer to the insurer. If they are, it should also be determined whether an exclusion negates or restricts needed coverage.

The CGL insuring agreements for both Coverages A and B appear to be broad enough to provide coverage for one of the costliest types of claims: those that arise from a hacker’s obtaining unauthorized access to the private information of an insured’s customers.

However, the term “property damage” in the Coverage A insuring agreement is defined in the policy. The definition should be reviewed to determine whether the coverage granted by the insuring agreement applies to these types of claims. The CGL policy defines property damage as physical injury to tangible property.

The policy definition continues by explaining that, for the purposes of the insurance provided by the CGL, electronic data is not tangible property. Therefore, Coverage A, unendorsed, does not appear to provide coverage for damages arising from, for example, a claim involving a hacker’s successfully gaining access to an insured’s database that contains private customer information.

The unendorsed ISO Commercial General Liability (CGL) policy defines property damage as physical injury to tangible property, not including electronic data.

Coverage B contains the term “personal and advertising injury,” which is defined in the policy.

"Personal and advertising injury" means injury, including consequential "bodily injury", arising out of one or more of the following offenses:

a. False arrest, detention or imprisonment;

b. Malicious prosecution;

c. The wrongful eviction from, wrongful entry into, or invasion of the right of private occupancy of a room, dwelling or premises that a person occupies, committed by or on behalf of its owner, landlord or lessor;

d. Oral or written publication, in any manner, of material that slanders or libels a person or organization or disparages a person's or organization's goods, products or services;

e. Oral or written publication, in any manner, of material that violates a person's right of privacy;

f. The use of another's advertising idea in your "advertisement"; or

g. Infringing upon another's copyright, trade dress or slogan in your "advertisement".

In regard to cyber claims, the definition may be sufficiently broad to include coverage for situations such as a hacker’s obtaining control over an insured’s website. Hijacking an insured’s website could result in the hacker’s publishing content that slanders or libels a third party or disparages the party’s products or services.

Also included in the definition of personal and advertising injury is content that could be placed on the site by a hacker—without the knowledge or permission of the web host—that violates a person’s right of privacy, such as a photograph of a celebrity that the celebrity thought would remain private. The hacker could also add content to the website that infringes on another party’s copyright, trade dress, or slogan, an infringement that is included in the definition of personal and advertising injury.

If a claim appears to be included in the insuring agreement and the policy definitions, the next step is to determine whether an exclusion applies. These are exclusions for Coverage B—Personal and Advertising Injury that may apply to a cyber loss:

• Criminal acts (for which a hacker creates the illusion that an insured committed)
• Contractual liability (liability an insured assumes in a contract, such as an indemnification agreement)
• Quality or performance of goods (failure to conform to statements regarding quality made in the insured’s ad, which may have been written by a hacker)
• Wrong description of prices (that a hacker may have put on a retailer’s website, citing prices below actual costs)
• Infringement of copyright, patent, trademark, or trade secret (which a hacker may do intentionally to create a conflict with the intellectual property owner)
• Unauthorized use of another’s name or product (to mislead potential customers)

In a CGL policy that has been issued to an insured, the limits of coverage are listed on the declarations page and indicate the most the insurer will pay regardless of the number of each of these:

• Insureds
• Claims made or lawsuits filed
• Persons or organizations making claims or bringing lawsuits

There are no separate sublimits for cyber coverage in the ISO CGL form. However, if the insured has chosen to add one of the optional additional coverages for electronic data liability to its CGL policy, those limits will be shown on the declarations page of one of the optional additional coverages.

The standard ISO CGL and most other CGL forms exclude liability coverage for damage to electronic data. This gap in coverage can be partially closed with optional additional coverages.

This endorsement (CG 04 37) partially closes the gap by amending the CGL-policy defined term of “property damage” to include loss of or damage to electronic data. However, the loss of or damage to electronic data must still result from damage to tangible property, such as a computer or server.

Many businesses are exposed to losses to which this type of coverage responds. For example, an insured who owns a building might be sued based on alleged negligence in maintaining the building’s plumbing, resulting in enough water dripping onto a third party’s computers to permanently damage them and the electronic data they contained.

The endorsement does not cover, for example, liability loss exposures arising from the transmission by the first-party insured of malicious code or viruses, because the loss does not result from damage or physical injury to tangible property. Primarily in response to insureds’ demands that insurers pay under this endorsement the expenses and damages incurred when a breach of an insured’s database is successful, ISO offers an edition of this endorsement that explicitly excludes coverage for these types of claims.

The exclusion applies to Coverages A and B of the CGL policy. Neither coverage will respond to claims arising from a hacker’s access to or disclosure of confidential or personal information.

Coverage for these types of claims is possible. However, it may have to be purchased through a stand-alone cyber liability policy. Another option is the Electronic Data Liability Coverage Form.

This separate claims-made coverage form (CG 00 65) provides coverage for liability resulting in loss of electronic data that is caused by an electronic data incident. Loss of electronic data occurs when there is damage to or loss of use of electronic data. An electronic data incident is an accident, a negligent act, an error, or an omission that results in loss of electronic data , except un-authorized access.

The coverage territory of the Electronic Data Liability Coverage Form is broader than Coverage A of the Commercial General Liability (CGL) Coverage Form because it covers all parts of the world.

An endorsement amends the coverage form.

Coverage provided by this separate coverage form is broader than that in the ISO Electronic Data Liability endorsement because the coverage form does not require that the loss of electronic data result from physical injury to tangible property. Physical injury to tangible property is required for the endorsement to cover a loss.

Another advantage of the coverage form is that the coverage territory is broader than Coverage A in the CGL policy. The coverage form’s territory is all parts of the world, as long as lawsuits on the merits of the claim are brought in the United States or its possessions or territories or in Canada.

The insuring agreement of the coverage form stipulates that loss of electronic data does not occur when a party breaches the insured’s database to gain unauthorized access to private information. So, for example, coverage is not triggered when a hacker successfully breaches the database of an insured and obtains its customers’ credit-card information.

Exclusions in the coverage form indicate it is not intended to cover insureds that provide computer products or services. Also excluded are damage to the insured’s own electronic data, assumption of liability in a contract, infringement of intellectual property rights, and unauthorized use of electronic data by an insured.

Multiple third-party cyber liability loss exposures are not covered in the ISO CGL but may be covered by a stand-alone cyber liability policy.

The cyber risk third-party exposures that are not covered by a CGL policy leave substantial gaps in liability protection for many commercial insureds. These gaps may be addressed by policies that are designed specifically to cover these exposures.

When analyzing the coverage portfolio for a commercial insured that has significant cyber loss exposures, an insurance professional must be familiar with the cyber risk protection each traditional policy provides in order to prevent gaps or duplications in coverage.

Several commonly used policy forms provide insurance protection for traditional causes of loss. Some of these policy forms have been updated to add cyber coverage to the perils insured; however, the coverage limits in some of them have been modest. For example, the Insurance Services Office, Inc. (ISO) Commercial General Liability (CGL) Coverage Form provides cyber coverage but for only a few non-property-damage-related perils.

The ISO Building and Personal Property Coverage Form, also referred to as the BPP, provides some cyber coverage but only up to relatively low limit. These are some other traditional insurance policies that warrant closer analysis in terms of cyber coverage:

• Business Income (and Extra Expense) Coverage Form
• Businessowners Policy (BOP)
• Directors and officers (D&O) policy
• Commercial crime policy

Cyber Risks and Other Traditional Policies

The Business Income (and Extra Expense) Coverage Form protects the insured organization from the reduction in income that occurs when operations are interrupted by damage to property caused by a covered peril. The ISO form is examined in this analysis.

The policy covers the loss of net profit and operating expenses that the insured organization sustains because of the necessary suspension of the insured’s operations during the period of restoration. The coverage form also covers extra expenses, which are costs incurred by the named insured to avoid or minimize the suspension of operations resulting from direct damage caused by a covered cause of loss.

The policy contains several key requirements for coverage to be in effect, including these:

• The suspension of operations must be caused by direct physical loss of or damage to property at the insured’s premises.
• The insured’s premises must be described in the Declarations.
• A business income limit of insurance must be shown in the Declarations.
• The loss or damage must be caused by or result from a covered cause of loss.
• With respect to loss of or damage to personal property in the open or personal property in a vehicle, the described premises include the area within 100 feet of such premises.

Some traditional policies, including the Business Income (and Extra Expense) Coverage Form, shift data loss away from the principal coverage grant by excluding coverage when the destruction of data is the cause of the insured’s suspension of operations. Instead, the policy provides coverage for this cause of loss under Additional Coverage—Interruption of Computer Operations, which is subject to relatively low coverage sublimits.

The sublimit for this policy is $2,500 per year, regardless of the number of interruptions or the number of premises, locations, or computer systems involved. With such a low limit, most insureds should not rely on a Business Income (and Extra Expense) Coverage Form for protection from cyber risk loss exposures.

A BOP is available in different forms from several sources; here, the ISO form is analyzed.

The BOP is a package policy that combines traditional property and liability coverages in one policy.The coverages are designed to meet the needs of small and medium-size businesses. The policy consists of two sections: one for property coverages and the other for liability coverages.

The first section has an insuring agreement that states that the insurer will pay for direct physical loss to covered property; however, electronic data is not considered covered property. This allows the insurer to establish a separate and independent limit of coverage in a section referred to as Additional Coverage—Electronic Data.

Although the $10,000 limit is relatively low, it does include coverage for restoring electronic data that has been corrupted by a computer virus or other harmful code. Coverage does not apply if an insured’s employee, or a vendor hired to maintain the system, causes the loss.

There is also coverage for business income and extra expense in a section named Additional Coverage—Interruption of Computer Operations. This coverage is subject to the same $10,000 limit and exclusions.

The BOP’s second (liability) section has an insuring agreement that states that it is the insurer’s obligation to cover what the insured becomes legally obligated to pay as damages because of bodily injury, property damage, or personal and advertising injury. When the database of an insured organization has been breached by an unauthorized user, property damage claims are more likely than claims of bodily injury or personal and advertising injury.

Property damage is defined in the policy as physical injury to tangible property, including loss of use of the property. The definition further states that electronic data is not tangible property. Therefore, liability coverage for electronic data is not triggered or included in the second section of the BOP.

A D&O policy protects a corporation’s directors and officers against liability for their wrongful acts that are covered by the policy.

Wrongful acts are defined as any actual or alleged error, misstatement, misleading statement, neglect or breach of duty, omission or act by directors or officers in their position or capacity for the corporation. These terms describe unintentional wrongful acts.

Intentional wrongful acts on the part of directors and officers that result in a loss are excluded. These latter acts are described as those that are dishonest, malicious, fraudulent, or deliberately criminal.

Unintentional wrongful acts by the directors and officers of an organization are typically covered by a directors and officers (D&O) policy. For example, at one retailer, several corporate officers were negligent in requiring that robust cyber security measures be implemented in regard to customer data. As a result of that negligence, a data breach occurred. Thousands of customers' private information was stolen by hackers, and hundreds of customers suffered stolen identities. Those customers with stolen identities sued the corporate officers in a class action lawsuit. The D&O policy would probably respond by providing a defense and paying a settlement or judgment.

An ISO commercial crime policy provides protection against crime perils for money and securities and for other property that does not include electronic data.

Theft by employees is also excluded unless an employee was acting in good faith on fraudulent instructions from a software contractor that has a written contract with the insured to service its computer system.

Cyber Risk Policies

Insurance professionals must understand the coverage options available in cyber policies to be able to tailor the coverage to fit the unique cyber risk profile of each commercial insured.

Traditional policies offer little to no coverage for cyber risk loss exposures. For example, most commercial general liability (CGL) policies specifically define property damage as physical damage to tangible property.

Most CGL policies also specify that electronic data is not tangible property. Therefore, typical CGL policy terms eliminate coverage for cyber liability risks, so CGL insureds are not protected from a variety of cyber risk loss exposures. Of some help are endorsements or additional coverages that can be added on to the traditional policies.

Directors and officers (D&O) policies are an exception in that they protect directors and officers against cyber liability risks for unintentional wrongful acts. This coverage is not subject to a low sublimit; the losses are paid out of the policy limit. To avoid duplication of coverage, D&O coverage is excluded in most stand-alone cyber risk policies.

Cyber risk policies bridge the cyber coverage gaps in traditional policies. To provide the coverage best suited to an individual insured, insurance professionals must understand these key cyber insurance concepts:

• Cyber coverage in traditional policies
• Typical coverages in a cyber risk policy
• Cyber difference in conditions and excess cyber policies
• Best practices for cyber insurance buyers

Traditional policies cover traditional perils, with few gaps in coverage and with adequate limits to protect the insured from such perils. However, coverage for cyber loss exposures in traditional policies is too restricted in terms of perils covered and limits of coverage available to avoid gaps in protection

In addition, cyber-related activities create new loss exposures not contemplated by traditional policies, such as liability for failing to prevent a denial-of-service attack. Cyber coverages available in common traditional policies include these:

• The Insurance Services Office, Inc. (ISO) Building and Personal Property Coverage Form’s Electronic Data additional coverage pays the cost to restore electronic data destroyed by a covered cause of loss, including a virus or harmful code.
• The ISO CGL Coverage Form does not cover cyber loss exposures, but some coverage is available through the Electronic Data Liability endorsement, which applies to electronic data losses that result from physical injury to tangible property. The ISO Electronic Data Liability Coverage Form provides slightly broader coverage for an insured’s liability for loss of electronic data.
• The ISO Business Income (and Extra Expense) Coverage Form offers the Interruption of Computer Operations additional coverage. If added to the policy, it applies to an interruption of computer operations caused by the destruction of electronic data by a covered cause of loss.
• The Computer Fraud and Funds Transfer Fraud endorsement to the ISO Businessowners Coverage Form (BOP) covers loss resulting from the use of any computer to transfer funds fraudulently or from fraudulent instruction to transfer funds.

Most cyber risk policies share these characteristics:

• The coverage territory for third-party liability claims is worldwide.
• They are claims-made policies.
• Subsidiaries acquired during the policy period are automatically covered.

Cyber insurance policies focus on the direct costs resulting from a data breach. They are not designed to protect an insured from other kinds of damage. Furthermore, most traditional property-casualty policies exclude cyber risk or cover it with low sublimits. This situation can create gaps in an insured’s commercial coverage.

A cyber difference in conditions policy can fill many of those gaps. Difference in conditions policies have been used to cover perils that are normally excluded in commercial property policies, such as floods or earthquakes.

In a cyber context, difference in conditions policies can be drafted to increase coverage in two ways. The first is by providing coverage for perils that are normally excluded by cyber risk policies, such as damage resulting from a discharge of electromagnetic radiation.

The second is by providing additional limits of coverage for specific perils for which the primary layer does not offer sufficient limits. A cyber difference in conditions policy can provide coverage that primary insurers refuse to write, which makes it less critical that the insured’s primary insurers provide such coverage.

A commercial insured can purchase a cyber excess liability policy if it has determined that its cyber risk loss exposures warrant an additional layer of coverage beyond either the policy limits of the primary cyber policy or the self-insured retention amount. The cyber difference in conditions and excess cyber policies are best suited for larger public or private organizations that have the financial capacity to afford a large self-insured retention, which may be as high as $100 million or more.

While the premium for these policies may be relatively inexpensive, the high self-insured retention can cause the insured to incur significant claims expenses. Insurers prefer to write this coverage only for insureds who self-insure to such a high amount because the coverage is so broad that if the self-insured deductible were low, insureds might be tempted to simply pay the low deductible and rely on the coverage for unintended uses, such as maintenance of the insured’s property.

This, in turn, would drive up the insurer’s claims expenses. The high self-insured retention ensures that the coverage is used for its intended purpose and that the insurer does not incur unexpectedly high claims expenses compared with the premium charged for the coverage.

Cyber Coverage's Commonly Available

Third-party liability for damage and defense costs resulting from:

*In some policies:

First-party expenses for:

Cyber insurance buyers—or their trusted advisers—must know what to look for in a cyber risk policy. Best practices include these:

• Assess whether, in general, the cyber policy has broad definitions with few exclusions.
• Buy both first- and third-party coverage, because claims of either type can bankrupt most organizations.
• Verify that the cyber insurance policy provides coverage for unencrypted mobile devices, such as laptops, that may be taken away from the insured’s premises to locations with less security.
• Determine whether to purchase cyber coverage for regulatory actions. Federal and state governments actively fine organizations that fail to protect their customers’ private information or fail to promptly notify customers of a data breach.
• Consider buying coverage to restore electronic data. The cost to reconstruct the information may be prohibitive, but without such coverage, the insured may be forced to suspend its operations.

Risk managers and insurance professionals should be aware that insurance is only one method of managing cyber risk loss exposures. Other methods include treating and monitoring risk, which can be done using cyber-specific risk control measures such as these:

• Developing, distributing to all employees, and updating written data protection and privacy policies
• Confirming that the insured’s data protection policy complies with applicable industry standards and legislation in all jurisdictions in which the insured does business
• Using firewalls to prevent unauthorized access from external networks
• Using and continually updating antivirus protection on all computer systems and servers to protect against viruses, worms, spyware, and other malware
• Confirming that the insured complies with payment card industry data-security standards if it collects or distributes credit card data
• Requiring encryption to be used to protect data on portable devices, such as laptops
• Performing background checks on employees and third-party vendors that have access to the insured’s computer system
• Requiring the third-party vendors that provide data processing to have their own data protection liability insurance and to indemnify the insured for liability attributable to the vendor

Applying Risk Management Techniques to Cyber Risk Loss Exposures

An ERM-compliant consideration of cyber risks entails analyzing them through the five steps of the risk management process:

1. Scan environment
2. Identify risks
3. Analyze risks
4. Treat risks
5. Monitor and assure

A boutique that sells locally handcrafted leather goods such as handbags, wallets, and outerwear is operated as a partnership by its two owners, who lease the store’s only location. The owners are concerned about the growing number of retail data breaches and decide to review their operations to ensure that they have addressed their specific vulnerabilities to cyber risk loss exposures.

The store’s most vulnerable sources of first-party cyber loss exposures are the means by which data is stored and disseminated. This may include cash registers, credit card reading and transmission devices, and their related software. Additionally, significant consequential loss exposures such as business interruption and extra expense costs could stem from a cyber loss that prevents the store from conducting transactions. Further, the reputational exposure resulting from a data breach may be catastrophic for a small retail establishment.

The store’s third-party cyber risk loss exposures relate primarily to the storage and transmission of its customers’ financial information. Such loss exposures include legal costs, fines and penalties, and the potential for a third-party claim by an individual or a group (class action) whose personal information was compromised.

Most commercial insurance products suited for the store’s particular business needs, such as the Insurance Services Office, Inc. (ISO) Businessowners Policy (BOP) and the ISO Building and Personal Property Coverage Form, also referred to as the BPP, provide limited coverage for first-party cyber risk loss exposures, while the liability section of the BOP excludes damages arising out of the loss of, the damage to, or the inability to access or manipulate electronic data.

The BOP and the ISO Commercial Crime Coverage Form may be the boutique’s optimal risk transfer option for these reasons:

• The BOP specifically identifies a virus or harmful code as a covered cause of loss for both property damage and business interruption exposures.
• The minimum limit afforded by the BOP is considerably higher than that afforded by the BPP.
• The insured can purchase an increased limit for first-party exposures.
• The Commercial Crime Coverage Form will pay for loss resulting directly from a fraudulent change of electronic data or computer programs that involves the insured’s money, securities, or other property. Loss resulting directly from a fraudulent instruction directing a financial institution to transfer, pay, or deliver money or securities from the insured's account is also covered.

A plumbing and heating contractor operates in three states, has 100 employees, and serves residential and commercial customers. Most of the contractor’s sales involve the installation and servicing of heating and air conditioning systems. The contractor’s risk manager has undertaken a complete review of its risk management program. At the conclusion of the review, the risk manager expressed concern that the contractor was exposed to potential data breaches and concluded that the company should reassess its risk management measures.

The standard commercial coverage forms, including the BPP and the ISO Commercial General Liability (CGL) Coverage Form, that the contractor had relied on for its primary insurance program did not adequately address its cyber risk loss exposures. For example, the BPP provides minimal coverage for the contractor’s own cyber risk loss exposures, such as its computer systems, its bank accounts, and any business interruption loss or extra expense incurred as a result of a data breach. While the limits offered by the BPP may not be adequate, some cyber risk loss exposures, such as remediation expenses, postbreach costs, and costs involved to restore or repair a damaged reputation, are not covered at all. The contractor may be able to secure additional limits under the BPP for some of its cyber risk loss exposures, but it must also secure a stand-alone cyber contract to specifically address its potential postbreach remediation and reputational expenses.

The contractor’s third-party cyber loss exposures are not covered under the CGL. For example, any compromise of a customer’s personal data that may be attributable to the contractor’s actions is not covered, nor is any theft or loss of customer information. Therefore, the contractor must also purchase a stand-alone cyber liability policy, which may provide adequate limits for both the cyber risk loss exposures not covered under the BPP and the cyber liability loss exposures not covered under the CGL.

The contractor may also secure specific noninsurance risk transfers, such as hold-harmless agreements, with its customers should the contractor ultimately be the source of any unauthorized access of its customers’ data storage and transmission devices. Such an approach may be acceptable to its residential customers, but commercial clients may not be as amenable to these kinds of agreements. Additionally, the contractor should secure an indemnification agreement from the vendors who service and repair its computer systems.

A publicly traded national retailer of children’s clothing is expanding its operations into Europe, Canada, and Mexico. In addition to its physical locations, the retailer maintains an online operation that has grown considerably. The retailer’s cyber risk loss exposures include (but are not limited to) these:

• Damage to or destruction of its computer systems, including software related to inventory control and point-of-sale interruptions
• Loss of income because of a business interruption resulting from damage to or destruction of its computer systems
• Costs related to the forensic investigation of a data breach
• Regulatory notification regarding a data breach
• Potential denial-of-service attacks and cyber extortion threats
• Unintentional release of customer information
• Credit monitoring expenses for individuals whose personal data is compromised by a breach
• Regulatory fines and penalties that could be assessed related to a data breach
• Shareholder suits triggered by a decline in the retailer’s stock valuation in the wake of a data breach

The standard commercial policies covering the retailer’s property and general liability exposures are not adequate for the scope and breadth of its cyber risk loss exposures. Therefore, the retailer should consider these additional cyber risk management measures:

• While the retailer’s property insurance policies may be endorsed to provide the required limit, the covered causes of loss may need to likewise be amended to ensure that coverage is triggered by unauthorized access to the retailer’s computer systems, regardless of any physical damage.
• The coverage trigger for any business interruption or extra expense limit must respond to a data breach and not only to an event of direct physical loss or damage to tangible property.
• The territory clause of the retailer’s policy should not be limited to the United States because the retailer has expanded outside of the U.S.
• The retailer should secure coverage that addresses its costs for any forensic investigation of a breach, the cost of a public relations team to mitigate any reputational damage caused by the breach, and any necessary notification costs associated with the breach.
• The retailer could also require its vendors or service contractors to assume responsibility for any loss or damage to its systems to which they may have contributed.
• The retailer should purchase a cyber privacy insurance policy that provides worldwide coverage for its cyber liability exposures, such as the costs associated with the theft of customer data, the costs incurred from any regulatory proceedings or fines, and the defense costs for shareholder suits resulting from a drop in share price because of a breach.

Glossary

In Insurance customer Experience is the product

Five Personas

Millennial generation / Startup

•My situation/ business is unique.

•I need to tell you about it to make you understand and factor it into my quote/claim.

The Veteran

•This is not my first rodeo. I have purchased for many years.

•I know exactly what coverage I need/want and roughly what I should pay.

The Trigger buyer

•I need insurance, like yesterday.

•As long as price is not outrageous, I'm buying.

The Average Joe

•I know I need it, and I somewhat understand it.

•I just want to make sure I am not overpaying and fully covered.

The Delegator

•I want an agent to do it for me. The process gives me a headache and I don't have time.

•I know I'm paying something extra for the agent service and frankly I'm fine with that knowing he'll do a better job than I could.

The steps outlined assume the marketing and promotion of the product will be handled by another group.  An iterative/Agile approach has also been assumed and combined with User Centered Design principles, though other approaches could be used.

1. Market Analysis: Market Analysis is a critical step to perform before deciding to undertake the development of any product.  Research needs to be performed to determine:
   
   • The size and demographic of the potential market
     
   • The needs of the target demographic
     
   • The growth of the market; is it growing and at what rate, or is it contracting
     
   • Competition within the market; who are the key players
     
   • Is there a widely excepted cost structure for the product that is being introduced
     
   • Based on the cost structure that is to be chosen, what kind of profitability can be expected?  This can be determined by performing a Cost-Benefit Analysis.
     
2. Competitor Analysis: For the competitors identified during market analysis:
   
   • Understand the features offered by the competitors product
     
   • Compare each competitors feature to those feature which are deemed to be most important to your targeted customer base, and rank each competitor based on the results
     
   • Speculate as to the strategic direction each competitor may be taking
     
   • Identify the clients of each competitor and determine which demographic segment they fall into
     
   • Understand the cost structure that each competitor uses for their product
     
   • Identify key weaknesses of competitors that may be able to be exploited, etc
     
3. SWOT Analysis: Combining information from the market and competitor analysis, it is often helpful to perform and document a SWOT analysis to determine internal strengths, weaknesses and external opportunities, and threats. 
   
4. Personas:  Develop Personas to reflect users of your product by market segment. 
   
5. Strategic Vision and Feature Set: Determine strategic vision and feature set for product. This is the start of your Product Backlog (features to be developed).
   
6. Prioritize Features: Create and initial priority for the features to be developed
   
7. Use Cases/User Stories: (Caveat: Use Cases and User Stories can mean very different things to different people.  There isn’t a single standard used throughout the industry) Create high-level Use Case descriptions or User Stories for the features that are intended for the first iteration of development. The objective of the use case description is to define the behavior of the features without getting in to specifics about how the screens will support it. 
   
8. Logical Data Model: In parallel with the Use Case descriptions, create a Logical Data Model (to be further refined throughout the SDLC).  The logical data model creates a common terminology for referencing information that needs to be manipulated by the features of the product.  It also becomes a great starting point for the physical data model and database design. 
   
9. Persona to Use Case Mapping:  Understand which Usage Scenarios will be invoked by each Persona.  This ensures that the appropriate emphasis is given to the segment of the demographic you are targeting as the highest priority.
   
10. Screen Mockups/Storyboards: Create initial Screen Mockups and begin Storyboarding for those features which are prioritized for the first iteration of development.  This will be a very iterative process.  There will be many ways to design the product/application to provide the feature functionality as defined by the Use Cases. Also, as the team iterates through the screen designing process it may become clear that missed features will need to be added, or a change in the feature priorities needs to occur. 
    
11. Product Backlog: Finalize the priority of features and create the Product Backlog which is the list of all features that need to be prioritized, tracked, and eventually developed for the product.
    
12. Begin the first iteration of feature development
    
    • For-Each Iteration
      
      • Logical Specifications: Create logical specifications to define the precise screen behavior.  This will include screen mockups, description of on screen behavior, screen transition behavior and navigation, sounds, details about controls and the information (logical data model) that each control displays or accepts from the user, etc.  The Behavior can be described textually using PseudoCode, or when appropriate process flow diagrams can be used (UML Activity diagrams or similar) 
        
      • Test Cases: Create test cases reflecting the expected outcome for each usage scenario
        
      • Physical Design Specifications: Translate the logical design into physical design.  This may include a physical data model and database schema design, static structure modeling using techniques such as class diagrams to reflect the physical structure of the code, class interface design, and behavioral modeling using techniques such as sequence diagrams as necessary. While the design of the code and database at this level is primarily intended for the iteration in progress, consideration should be given to the overall code and database architecture to ensure appropriate scalability for large user populations and large numbers of concurrent users.
        
      • Write Code: Code to the specs
        
      • Unit Testing: Perform unit testing
        
      • System Integration Testing: Perform system integration testing based on the test cases created prior to coding
        
      • Regression Testing: Regression Test the application using test cases from prior iterations to ensure that new changes didn’t introduce unforeseen bugs.
        
      • Deploy Code: Deploy the code and release the product.  Depending on the situation this may be a beta release with a pre-defined set of beta users.
        
    • Once the iteration is complete, then the next iteration can begin.
      
13. Metrics and Monitoring: After a product has been deployed, specific metrics about the product can be tracked and monitored to see how the users are actually using the product.  What do they use frequently? What do they use infrequently?  This is especially relevant for SaaS products.  Though even shrink-wrap software can have built in metrics tracking that is reported back to the developing organization. This information can be used to further refine features and build the product out in areas where it is found to be lacking.
    
14. Strategy for Scalability: For SaaS products, database/server monitoring should occur to ensure that concurrent user activity can be supported.  Strategies for scalability should be in place well in advance of ever needing them.
    

Some of these steps could be combined, pared down, or avoided altogether depending on the demands of the project and complexity of the product or application. Use the minimum amount of tools, models, and specifications needed  to communicate the necessary information to the coders in a way that ensures the final product meets the expectations of the customer and is defect free. Once might refer to this as “just enough documentation” – not too much, but not too little.

However, the decision to eliminate certain steps or deliverables should be a pragmatic one, and should not be done out of laziness or a lack of understanding of the importance of a particular deliverable.  

Life Coach

 XYZ Insurance is a relevant and present partner in customers’ everyday lives for all events offering a guide / coach to navigate them. Insurance transitions from a one-touch-point pain experience for to pay in case of a claim to a various touch point partner to accompany customers’ lives and experiences. 

The XYZ Insurance Life Coach is a life cycle assistance product.

Customers can call us any time and receive a broad range of assistance services.  Annual telephone advice time per year is included and paid through a monthly fee.
XYZ Insurance enriches this hotline / concierge service with PA and CI. In case you are diagnosed, you can demand a personal coach to analyse your situation and needs at various stages of the processes you will need to go through, with personal and emotional respect and empathy. The coach will guide you through the steps needed to be taken (Lawyers, administrative papers, groceries service, meal service, transportation, psychologists).

XYZ Insurance will then pay a lump sum or take over the costs of services to be arranged up to a maximum of CHF 50’000. The initial personal consulting is free. The insured can demand also partial cash payout if wished.

The Life Coach program will include features to enhance your everyday well-being as the focus of the service.

Additional XYZ Insurance products can be included to reflect the varying needs of customers throughout their life-cycle. 

• PA
• Cyber/hospital cash/travel
• Mobile phone protection/gadgets
• Family protection (PA of Children), PA 50+; Disabled Child, Heavy Surgery, Dementia
• Critical illness kids

- The XYZ Insurance Life Coach program will include community-building features for customers to share their favorite services and experiences."

Insurance Travel Card

The XYZ Insurance Travel Card is a personally issued business travel card with the function of a debit credit card. In addition, business travel assistance can load money onto the card in seconds and 24/7. This means that XYZ Insurance can immediately load money onto business travellers XYZ Insurance Travel Card, who are in need and customers can use it to pay costs immediately.

This allows possible emergencies to be treated promptly and easily.

The frequent travelers are the decision makers in a company when it comes to which business travel insurance should be chosen. Our unique offer is convincing. The brand XYZ Insurance is visible and better recognized by our XYZ Insurance Travel Card.

The additional offer will lower the price sensitivity for this product and convince the decision makers for our product, although it is more expensive than the standard product.

We can support business trips in the following areas:
• Medical emergency
• General payment problems
• baggage problems
• delays or breakdowns of means of transport
• evacuation

The positive loss experience will underscore the value of our business insurance to the client.
Further possible development of the idea:
• Connect the card with our App Travel Smart and offer customers additional products and services:
o Private Travel
o Opportunity to meet other business travellers
o Amounts of money at the request of the customer in situations in which the customer is in need, but it is not insured with the existing insurance (money in advance)
• Luggage reception at the aircraft
• Access to airport lounges
• Cross sell with the credit card company
• Customer information can be used to improve the offer and to predict the claim development more precisely.

• A customer loyalty program

Travel Smart App

"The new idea is using our market leading Travel Smart App (https://www.youtube.com/watch?v=Lsn-BLLoFD8) as a digital distribution platform to sell existing/new  insurance products such as Leisure Travel and Personal Accident.

Our award winning Travel Smart App for IOS and Android is available to download for free for any individual covered under an A&H Business Travel policy, which means the potential reach of this new method of marketing could surpass a million individual contacts leading to substantial revenue potential.

The app gives us direct access to a target demographic allowing us to advertise and bind a variety of products that the end consumer would normally not be aware of. The app is currently available in over a dozen countries, allowing a large geographical reach that could be further specialised to meet local demographic needs with varied products advertised on the app including varied lines of insurance.

By automating the quote to bind process on our app we would provide an efficient, modern, user-friendly method to purchase insurance. Policy documents would be stored on the app for ease of access, alongside links to submit claims and download visa certificates.

This would reduce administration costs involved with manually quoting, binding and producing policy documents. Behind the scenes we would be able to control rates and premium, allowing us to instantly react to changing trends in purchasing and losses. All quotes, documents and claims would be automatically logged on our system via the use of an Application Programming Interface.

There is a huge potential to scale the Travel Smart app by making it available in more countries and allocating resource to encouraging downloads and supporting our Business Travel clients.

By allocating more resource to increasing downloads we would also be able to demonstrate to our BTA clients that the Travel Smart app is an essential added value service they benefit from. This will lead to higher retention rates of clients as they will be reluctant to lose this free service, especially once the product is on a large amount of their employee’s phones."

Self Employed cover

"Develop a product which supports self employed and small business owners with a cover in case of sickness, incapacity to work to help them cover their daily ongoing expeness while the owner is unable to work. Self employed and small business owners in Germany are in principle not covered by the public health sector and no salaries will be paid in case of sickness. Day 1 coverage can be bought from private health insurances with full medical underwriting and for a high price that most self employed are not able to afford. XYZ Insurance could benefit from their own experience in Germany writing business through Combined Insurance in the past. An existing portfolio of 60.000 policies could be used to approach a bigger customer base through DM activities. Furthermore we can offer the product to the AXP SME customer base. The product should be without medical underwriting questionnaires and should offer a precise cover based on the insureds expenses to be covered like rent for a shop, electricity, replacement costs during his own absence…Cover shall be recognised as an Airbag policy and not full medex product…"

Real Time P & L reporting

"Development and roll-out of an realtime P&L reporting system for multinational program business covering all XYZ Insurance countries and associated friendly fronts. Therefore already available MNLR loss data to be enhanced by relevant premium date. To included in WorldView as additonal features to allow brokers/clients as well to view program performance daily."

Fire Fighters

Throughout the course of the last 12-24 months there has been a surge in Forest Fires worldwide primarily due to both increased climate change with ever prolonged & sustained periods of hot weather as well as an increased frequency of malicious acts from individuals with an intent to cause damage. While traditional property insurance is becoming difficult and even unobtainable  in some parts of the world, we can offer victims some level of protection and support. Disaster Recovery services and assistance are available and accessible by many businesses but this is not necessarily true of individuals and smaller to medium sized businesses. We are considering the addition of a ‘Disaster Recovery Extension’ to add value to our SME and personal / small commercial lines offering in affected territories such as California. The option would be available to purchase inner limits to help in addressing the most immediate concerns such as assistance with and reimbursement for costs of relocation, travel, alternative accommodation, catering, loss of revenue, denial of access, childcare  and costs towards preventative measures to the event should the worst happen. This will be offered alongside assistance and advice on measures they can take to mitigate loss or damage, preparation of insurance claims, assistance in document recovery and legal costs, automatic alerts & warnings, credit card bill recovery and so on.

GIG Economy

The workforce is changing.  There are five million people currently working in the gig economy  in the UK which is around 15.6% of the total full and part-time workforce (32 million people) and this rate is set to rise.

This group is often vulnerable and miss out on workers' rights such as sick leave, holiday pay, redundancy pay and maternity leave. Gig workers are not even guaranteed the minimum wage.  This can have a disastrous impact on individuals and families as over 25% of households in the UK have less than £95 in savings and little to fall back on in the event of being unable to work.

This changing workforce structure also presents challenges at the business end as whilst it great to have a workforce you can flex to satisfy business requirements there is still a need to show Duty of Care to these workers and there is reputational risk legal risk if companies fail to do so.  With customers showing more and more emotive purchasing this has never been more relevant.

With many big name companies operating on this basis – this is a big opportunity for XYZ Insurance in the UK and globally.

The idea being put forward is a benefits package distributed digitally via an App to the individual gig economy workers.  It will be a slim line version of a full-time Employee benefits package but flex to accommodate the feedback and customer centric approach taken at product development stage including more relevant health covers like virtual doctor to help promote a healthier workforce and take the strain off the NHS.

App capabilities include;

• Up-sell of other XYZ Insurance products/higher benefit levels

• Ability to white label for individual clients

• Improve brand awareness of XYZ Insurance 

• A function to improve – capture user feedback

• Video to demonstrate usage/educate on coverage/claims portal link

• Paves the way for us to work direct with clients

Ticket Smart

Standard personal accident (PA) / sickness ticket cancellation cover (music festivals, theatre, sporting events etc), promoted through an app, cover extended to include an automatic payment (which may be a voucher for a future event) if the event is cancelled, starts more than 45 mins late or is cut short for technical reasons etc.

Ticket Smart will send push notification about the insurance when your mobile identifies an event in your email to add to your calendar and when a ticket is transferred to you e-wallet.  We would also engage with event organisers to promote this product.

Ticket Smart will deliver useful content about the event, venue, maps, traffic and public transport to ease the planning and will notify you if there are travel issues.  This content will drive customers to download the app.

Event linked cover - working with the event organiser so that if the event is cancelled, cut short or has a delayed start, the payment would be an automatic credit of cash/voucher to the individual. We would receive notification of an insured event taking place from the event organiser to trigger this. Any additional or unused travel costs resulting from this could also be claimed.

Individual cover - typical ticket cover familiar to XYZ Insurance will pay the ticket / booking price and lost travel costs if you are unable to attend due to PA / Sickness.  Possible extension to cover travel delay should the individual be delayed on public transport, similar to travel insurance cover.

Opportunities to cross sell with Event Cancellation cover and potentially to incentivise prospects like Ola Cabs or Uber to link our app to theirs for people that want taxi rides to/from the event.

The app will be useful, easy to use and where possible claims payments are automatic.

FLY-OT

A connected device aimed at our travel insurance customers that would enable them to activate or freeze their travel insurance policy with the touch of a button.

This device would not only give XYZ Insurance precise measurements of time on risk, but will also provide location details. If the luggage is lost or stolen, both the policyholder and XYZ Insurance would be able to track the location to speed up and improve the chance of recovery.

The data collected from this device could also be used in a variety of ways, from sending catastrophe or terrorism event warnings to customers in at-risk locations, to providing businesses analytics data on their staff travel insurance.

The Green Team

It is now well known to anyone that one of the main innovations that will characterize our economic system will consist of the possibility of making online purchases with very short receiving time of goods. Nor is it a mystery that, in this regard, the world's leading global trading companies, most notably Amazon, are seriously thinking about using drones to make timely deliveries in less than half an hour. Is this all science fiction? To the question "Is this science fiction or is this real?" Amazon replies on its website "It looks like science fiction, but it's real. One day, seeing Prime Air vehicles will be as normal as seeing mail trucks on the road. " The idea of our team starts with this assumption for the creation of a single insurance product resulting from the union of several classic covers: a 360 ° insurance coverage for drones. In addition to covering any damage caused to drones (and therefore in a Property logic), the policy will also cover damages to third parties during transport (General Liability logic), damage to transported products (Marine Logic), damage caused by a hacker attack to the aircraft (Cyber logic), and the delay in delivery to the customer. Drones are now widely used tools in a wide variety of tasks, just think that XYZ Insurance uses them for our Risk Engineering service.

Squad-Zero Implementation

In a fast-moving world a dynamic way of working is imperative.  The way of doing business has to be adapted in order to respond promptly to market opportunities and customer needs.

Our idea is to create and implement a well-dimensioned skilled teams (called SQUADS) that work as dynamic cells, full oriented on customer centricity, productivity increase and employee engagement.

Is our ambition to create the “SQUAD ZERO”, a multidisciplinary team specialized in Global and Upper MM Accounts in both domestic and multinational tenders, that works fully aligned during the tender period with flexibility, autonomy, and strong engagement.

This Squad is focused on WHAT, HOW and DELIVERY.

Squads dissolve once the mission is over and they are ready to reshape and face other mission. In the meantime the individuals continue with their BAU.

The XYZ Insurance Tribe will be our new organizational model for tenders based on pre-defined squads.

My Curators

myGALLERY is a digital dashboard accessible via multiple channels, initially for Masterpiece High Net Worth customers to view and manage their portfolios with XYZ Insurance.

We recognise the need for more ‘touch points’ with our customers in an environment in which emergent technology is making it easier than ever for customers to connect directly with their insurance providers at high velocity and a challenging broker environment which has been slow to adapt to changing customer demands. 

We call the platform myGALLERY since it will house a digital record of a customer’s own Masterpieces along with their policies which have been Crafted by XYZ Insurance so there is a cross product line applicability to the name.

myGALLERY builds on an existing broker facing portal we employ in the UK & Ireland to offer a direct connection with our Personal Lines customers which can in time be scaled to other regions, product offerings and to integrate new functionality and emerging technology.

https://www.shedspace.com/

Claim Operations

This idea speaks to ambitions in the (lower) mid market and digital space.

We have the opportunity to be involved in the launch of a new product in the community sharing space called ShedSpace. The principle is close to that of AirBnB, allowing registered users to rent their spare space to people wanting to store items.

The holding page for the business is here: www.shedspace.com

There is currently only one other provider in this space. They have low penetration and are London centric.

This is an online distribution model where the person wishing to store would purchase insurance on a day rate at the time of booking the space.

The insurance product is a first party risk. Claims risks will involve frequency and moral hazard. The business has a six point ID checking process that will support mitigation. 

Weather App

"The idea  is to sell via a mobile app  para metric weather insurance products for outdoors  events,. Payout would be based solely on weather mesures for a given location, date and time. You would need to buy this product at least D days before. Then, on the given date and location, if at least x% out of the nearest Y stations give rain, then the payout would be based on an actual % of the premium, taking into account probability and margin. You could buy insurance for a rained out picnic, thunderstorms for a VFR Session, a rained out world cup final, etc etc.. Premiums would be small amounts, so ensure customer buy in."

VatBot

"Expansion of an automated VAT  decision tool currently in use within the EMEA region.  This tool could be developed and adopted on a wider global basis to allow the benefits of the tool to be utilised in other regions where there is a VAT/ GST (or similar) system involving VAT/ GST exemptions for insurance."

Insurance Subscription

"As the World is now most connected than ever and this technological environment wll only expand more and more in the coming years using IoT, BlockChain, AI. We believe that XYZ Insurance has the ability to collect and use that data to protect every individual based on his/her lifestyle.

Our disruptive product is insurance subscription offered direct to consumer as a service all under one roof. From motor insurance, travel insurance, house insurance, A&H, Cyber, SPL, Life and any other existing product insurance for consumers.

Given the fact that XYZ Insurance also has or is developing ways to monitor, settle claims and become one of the market disruptors when it talks about moving insurance industry forward."

Esports Insurance

"Professional-level computer gaming, or eSports, is a fast-growing global industry, with expected 2018 revenues of $906 million - a year on year growth of 38.2%. Estimates for 2021 put revenues between $1.3 and $2.2 billion. Prizes for individual players can exceed $1 million per tournament, with multiple tournaments being held globally each year. The 2018 ‘Fortnite Battle Royal’ tournament prize fund is $100 million. Individual players as well as teams often have celebrity status within the industry.

The eSports industry has a range of participants: individual players, agents, teams, managers, boot camps, tournament organisers, audiences, sponsors, and distributors. Risks vary from personal accident for players, property risks for team and boot-camp managers, contract failure between teams, players, and tournaments, loss of earnings through tournament failure or team withdrawal, advertising loss through distribution failure (ESPN, Twitch), event cancellation, or event underperformance.

These are all well understood types of risk for which XYZ Insurance already has products – but none are branded or targeted towards eSports organisations, fans and players. As risks materialise over time, there is likely to be a growing understanding for the need to obtain insurance and an opportunity to craft a tailored offering for the sector.

This proposal is to create a branded suite of eSports products and packages to serve all areas of the industry, leveraging existing product knowledge and incorporating industry and market need analysis. The aim is to allow participating bodies to pick and choose covers that they require.

Recently Manchester City, West Ham, Boston Celtics and Cleveland Cavaliers all purchased eSports players to represent their brand in tournaments that mirror their physical sports. Formula 1 has formed an entire league for the eSports equivalent of racing.

With such bodies making long-term investment into the field, there should be little doubt about its viability."

Protection Insurance

"This is an insurance product for our customers who had experienced violence. The name of the product is “Protection Insurance”. People who face physical violence, snatching, sexual harassment can benefit from this insurance. People can reach TPA by calling the phone number that’ll be provided to them when they buy this insurance.  The coverages will include AME - Accident Medical Ext, Hospital Cash, psychological help and legal assistance. Assistance will be provided via TPA. Theft of goods can be added as additional benefit.  The violence will be supported by hospital or police report."

App Connect & Protect

"What we are proposing is creating an app that can be used by our exisitng 15000 HNW clients to add value to our proposition. XYZ Insurance PRS (Personal Risk Services) is a B2B2C business so communication with the end user is minimal. The HNW market is moving fast and we need to move with the times. More and more people are time poor and asset rich so dealing with things on the go is key. The app will provide access to policy documents, wordings, valuation and appraisal reports. Push notifications to remind clients of the need to update valuations and upcoming appraisals. Ability to notify of claims through the app with picture and video upload to improve validation process. It will have an information and video suite that will provide key information on security, cyber, dangers of social media for kids. Our aim is to increase the client experience and see the value in the premium product they have purchased.

XYZ Insurance Insured

"XYZ Insurance  is great. “XYZ Insurance insured” is even greater, for it opens a virtual platform via a Webpage and an app where all of XYZ Insured are connected (if they want to): They may search or offer services to each other, hence building on the trust that comes from being insured by XYZ Insurance .

The “XYZ Insurance insured” initiative lets insured connect in a lot of different ways: Imagine you have a water leakage in your house and are in dire need of a plumber, but do not know one. Just use the new “XYZ Insurance insured” app and check out all the “XYZ Insurance XYZ Insurance insured” plumbers in the area – maybe one is available and even offers a special discount. Or imagine a company, whose supplier is suddenly out of business. Maybe it will - using the “XYZ Insurance XYZ Insurance insured” app - find a new supplier who offers the required goods as well. Or think of our claims department, which is in need of an expert or a contractor for a quick fix – using the “XYZ Insurance XYZ Insurance insured” app, it might be easy to find the right person in the required area and maybe even save money in the process."

Homeless Children Insurance

"The product is for homeless children with education and/or a savings coverage.  The product is a package insurance targeting governmental and private entities.  We will be approaching governmental entities i.e. Ministry of Family and Social Policies and Turkish Social Service and Children Protection Institution.  Children up to 18 years old will benefit from this product which would be unique to the local Turkish market and possibly global too. "

#Phone Voyage Travel Insurance

"Ensuring safe travel will be easier than posting a hashtag on a photo #phonevoyage  

How long does it take to post the perfect hashtag on a Travel-photo?  Believe me, it´s more than you will take to get travel insured with #phonevoyage.

With just one click in your smartphone, you will be able to grant the most carefree trip ever. With #phonevoyage app you will be covered against the main worries during your travels.

• Robbery, Falsification or cloning of debit and credit cards, Identity theft
• Loss of personal documents.
• Travel assistance, including cancelation.
• Personal liability for tenants of rental houses.

Doesn’t matter the type of traveller you are, you might be a #globetrotter, #honeymooner #squadgoals #bradybunch, among others. #phonevoyage adapts to any traveller profile and meet your needs.

You will decide who is covered, how and for how long.

From one day to the end of your trip, just a single click in your phone will activate the coverage, no need to submit long questionnaires every time you travel or make payments in advance.  You will pay as you use.

Last minute plans? Your son has decided to have a weekend outside with friends? Family trip in Italy? Crazy weekend in Ibiza? No problem, now you can manage it as you wish and have a sleep easy coverage.

#phonevoyage includes the possibility to contact with 24/7  assistance and also claims reporting just clicking on a button on the main menu of the app."

Hapag Lloyd - Shipment Worldwide

"Smart and easy digital added value solution attached to Hapag Lloyd´s online Freight-Service-Platform for worldwide single shipments. Catching up only a few additional information to provide fast and immediate insurance cover to the Hapag Lloyd freight-customer around the globe."

SPL B2C Insurance Brand

"To enter a new market / under-developed market for SPL products by creating our own B2C device insurance brand and platform/value chain. This gives us direct control of all above the line and below the line marketing activities to generate maximum sales. In addition, we will tackle and link in Affinity partners such as MNO’s, Retail Banks, Eletronic Retailers and Insurances (and their sales agents)."

Consumer Insurance Policies library

"Setting up a library - available through XYZ Insurance's website - that provides a hassle free access to XYZ Insurance Consumer insurance policies.

Nowadays, there are a lot of websites or applications focused on filing claims but through the library the insureds could quickly and easily retrieve and manage their insurance policies any time. They could also get the details of the insurance intermediary that is brokering their policies.
A link to notify a claim should be available and connect to our current claims customer portals (CSP). In a target version, the details of the insured policy should populate the dedicated fields in the claims portal.

I suggest working on consumer lines firstly.

From my experience of the Italian insurance market direct consumers have difficulties either to get hold of their policies and to know who their broker is. For example, they mix up the name of the broker with the name of the insurer. A library would help the customers get clear and straight forward information about their policies and their broker’s details.

Basically, the website would display both the policy schedule and the broker’s details.

The project can leverage the upcoming introduction of IPID (Insurance Product Information Document) that is one of the main requirements laid down by IDD (Insurance Distribution Directive). IDD is an EU directive setting out new professional requirements for European insurance distributors. One of these requirements is a standardized policy schedule featuring the basic information of a policy such as information about the type of insurance, summary of the coverage (main risks underwritten, sum insured, and deductibles); policy coverage dates.

The e-form of the IPID is the right tool to provide an easy to read and digitized policy schedule format which is clear and concise, displaying only the relevant pieces of information of the policy. Furthermore, the e-support can make use of hyperlinks through which more information about policies terms and conditions could be delivered to the insureds. 

To sum up, the idea is to put up a library or repository that makes the policies and brokers details simple to access.

The main goal of the project is to broaden and strengthen the relationship between insured and XYZ Insurance , making them know they can rely on XYZ Insurance 24/7."

Next Act Platform

As the industry evolves to develop more data & technology enabled solutions, NextAct will allow us to make decisions based on empirical rather than anecdotal evidence. We believe NextAct will create a platform that could underpin all our customer offerings. NextAct brings together the art of craftsmanship and the science of data to create a service that has the potential to truly make a difference in our business."

SME Insurance Comparison

"An interactive tool that allows an SME to discover how comparable companies are addressing their insurance risks.

A user would enter their company’s name and the system would gather information about the company from a number of sources. The system would then compare this with our existing data to provide a breakdown of insurance products that similar companies have bought. For instance, insurance coverages and limits based on their profession and size. This would also include example claims, anonymised from our own claims history and tailored to their company characteristics, alongside relevant claims and risk trends.

Depending on the company size, the system will then provide the user links to XYZ Insurance's relevant digital products or brokers, based on their offering and location."

XYZ Insurance Unite

The one stop app that allows XYZ Insurance employees to learn and seek information on the go.  

XYZ Insurance Unite will be a globally easily accessible platform, running in real time with a clean and straight foward interface to improve communication, collobaration and sharing of information. This will work alongside the Village however will be suitable on mobile phones – personal and business phones. We spend vast amounts of time on our mobile phones – whilst traveling to and from work, on business, at the weekends, wouldn’t it be great if ALL employees could get access to information instantly?
The app has several icons/tiles for each main communication style we feel is important. This of course could be an extensive list but the below outlines our key areas of focus: 
- Keeping team members up to date and integrated who might be on leave/absent.

- Displaying company announcements/promotions. Studies have shown we are wanting to move away from emails and use social platforms to contact each other - lets have a place in the app to store such communications.

- Closed/private team pages – ability to chat to team members in a trusted space – almost like a ‘whataspp’ style form of communication. This would be across functions and regions (we are a global company after all so lets stay connected to North America, Asia Pac and Latin America).

- Traveling on business? Use the app to find out about the country you are visiting. Find top tips from those who work in that location, retrieve maps of the whereabouts of the office. What if you have an emergency? Lets build an app which can help our colleagues travel smart!

Car Leasing and Finance Gap Protection

"Gap protection product for car leasing and car financing, covering unexpected situations such us: divorce, multiple birth, long term ILOE, accidental death & disability…
It will be an optional cover when individuals finance or lease a car. Sold in the premises while financing is contracted as an add-on. 
Financing and leasing companies will be able to offer differenciated value.

Individual can have easier access to upgrade or downgrade car model upon claim trigger within the car maker."

Domestic Violence Insurance

Protection for domestic violence victims in the most relevant impact on the family. Applicable for all domestic violence (male or female originated). The cover are valid in case of police reported gender violence and will be:

- Capital in case of TPD
- Capital for minors dependent in case of parental death
- Hospital cash
- Capital in order to help to change dwelling or temporary accommodation
- Legal assistance
- Psychological assistance

- Funeral expenses

Smart Contracts (Block Chain)

"In a near future, we will live in a world of millions of objects connected to each other and it will therefore be possible to determine with total precision and transparency what has happened and at what time. In this contest, it is be possible to stipulate smart contracts which automatically allow the activation of actions contained in the insurance and insured contracts (e.g  reimbursement, reduction or increase of the insurance policy).

With the XYZBC (XYZ Insurance Block Chain) platform it will be possible to create a digital and shared transaction log where participants (insurers, reinsurers and brokers) can exchange all the administrative transactions related to the contracts. Moreover, the identity of the seller and the buyer, the unique identifier of the asset and the time stamp remain sure and unmodifiable. For example, if you lose your baggage at the airport (travel policy), the XYZBC system reads and crosses the baggage data with the cancellation and delay data and refunds the indemnity directly without having to report to the desk. XYZBC will automate many insurance processes such as the premium’s calculation, the checks management and settlement for certain types of claims, ensuring maximum transparency for final use.

The basic concept can be connected to the IoT (Internet of Things) world allowing, for example, to connect environmental sensors to the insured property/object that transmit to the blockchain information about potential damages or catastrophic event (e.g drought insurance: the umpteenth day without rain, previously granted by the policy contract, the sensor in the ground starts the compensation procedure).

XYZBC will also offer a chatbot service, an artificial intelligence software that interacts with users through mobile apps. The user is asked questions about his/her needs and this allows to obtain information about the customer without being submitted to long forms to fill out, improving overall user experience and the quality of the insurance service."

Fitness-in-app Insurance

"The idea is to cater to insurance needs of users of Fitness apps/gadgets – such apps are growing with health and fitness conscious individuals taking interest in such apps which monitor daily workout activity. The segment is expected to continue to grow, as wearable technology become more common:

- Selling Accidental injury Insurance through a partner Fitness App – with certain coverage available only if bought by groups of users together.

- The cover would be for any injury during running or cycling or any agreed fitness activity being tracked by the App.

- Small Injury coverage all app customers who’ve purchased the cover. For e.g. fixed benefit for knee injury, elbow injury or shoulder injury.

- Cover to be in force during fitness session i.e. running workout as monitored by the app.

- Coach/Doctor advice covered.

- No Claim Bonus

- Target Market is the growing segment using app to monitor/track their fitness activity.

- Convenience - Less hassle for the customer to buy insurance"

Solit

"Can you imagine your local policy being issued and booked in seconds? SOLIT simplifies the process and automatically issues local policies, certificates and invoices. We deliver a solution to reduce the costs of servicing multinational insurance programs and lower turnaround.

SOLIT combines both of best worlds: Max and a system that can issue policies/invoices/bookings and certificates. By creating an interface with Max and such system of (for instance) XYZ Insurance Easy Solutions, we are uncomplicating processes and eliminating manual work. By combining the strengths of these two existing platforms we create a process where we send instructions via Max and issue a local policy right away. Good local standard policies, certificates, bookings and invoices will be issued by SOLIT.

SOLIT has the following benefits:

• Contract certainty from day 1
• Local policy immediately available in Worldview
• More competitive SLA’s
• Cost-reduction
• Efficiency
• Consistency
• Get it right the first time
• Higher customer satisfaction
• Improved cash-flow
• Compliance

SOLIT leads to an even stronger brand value of XYZ Insurance and allows XYZ Insurance to become more competitive in this market. This will result in an increased volume of multinational programs serviced by XYZ Insurance and more compliant programs for clients.

Incontrol for SME

"InControl helps to create more awareness within the SME market about risks that they might encounter with their business and link this to XYZ Insurance Solutions.

InControl is a free online tool where the entrepreneur only has to enter their SIC code (from the Chamber of Commerce) and answer a few short questions. The tool then specifies the risks associated with the business activities and the tool then explains how these can be covered by XYZ Insurance insurance solutions. The use of InControl leads to better awareness, understanding and resilience against the various entrepreneurial risks their business faces.

The advantages of InControl:

• Quick and clear overview of risks based on SIC Code
• Better understanding of XYZ Insurance´s Insurance Solutions because they are linked to the risks
• Increased awareness within SME market

InControl ensures that Entrepreneurs are aware of the risks that their company is exposed to, and the necessity to insure. That way they can stay InControl."

A&H Asset Resale Protection

"Our idea is to provide some peace of mind to customers who, due to an unforeseen significant life event, may need to sell off  assets in order to handle a heavy financial burden.

This idea is an offshoot of the resale protect which covers a loss in the value of a home due to unforeseen life events.

The benefit trigger is a significant life event, not an investment loss.

We propose to cover half of the loss of the initial investment in an emergency sale of a customer’s long-term assets due to a positive or negative life event up to a maximum of CHF 50’000.

If an insured person

1. makes a loss, (the negative difference between the purchase prices and the sales price realised during the insurance execution period following the event),

by selling long term investments, meaning to be held longer than 1 year or legally defined and privileged as long-term (e.g. for retirement savings), due to

2. AD, PDCS, CI, Divorce, Multiple Birth, Forced Relocation, and all of these for close persons, which are partners & children."

Small is Beautiful for SME's

"Insurance Online for SMEs: direct web platform and mobile app to be insured quickly and easily with personalised coverage in order to protect property assets, liabilities and human assets of SMEs.

The purpose of the tool is to give the opportunity to the SME manager:
• to create his own packaged product adapted to his own activities,
• to get his policy on line
• to make it evolutive if his activities/resources change
• to notify a claim
• to call for assistance if needed

It is also an educational tool as it is designed as a journey and gives access to videos with claims examples and tips for loss prevention for each risk they have to face.
After having entering basic info about his company (localisation, industry sectors, number of employees, fleet, mobility, use of personal data), the SME manager will be guided through a scenario including risks of property, liability & PI, D&O, cyber,transports, duty of care… the scenario will depend on the basic criterias entered by the client.

During this journey, he will choose to clic on the protection he needs and it will progressively fill a basket. At the end of the process, the tool will calculate the premium of the package product. If the client is fine, he will pay online and the policy documents will be immediately issued.

He will have permanent access to his account and be able to update data and covers through the website or the app (if he hires employees, buy new IT materials, moves…)."

Large software systems have a few hundred to thousands of requirements. Neither are all requirements equal nor do the implementation teams have resources to implement all the documented requirements. There are several constraints such as limited resources, budgetary constraints, time crunch, feasibility, etc., which brings in the need to prioritize requirements.

Most customers on their part have a reasonable idea of what they need and what they want. But during requirements elicitation the customer provides the Business Analyst (BA) with all the requirements that he feels will make his work easier. The customer is not wrong on his part; the BA needs to understand the needs of the business to prioritize the requirements.

Prioritization means “Order of importance”. BABOK 3.0 suggests 8 factors that influence the prioritization of requirements.

1. Benefit - It is the advantage that the business accrues as a result of the requirement implementation. The benefit derived can refer to functionality, quality or strategic / business goals.
2. Penalty - It is the consequence of not implementing a requirement. It can refer to the loss in regulatory penalties, poor customer satisfaction or usability of the product.
3. Cost - It is the effort and resources that are required to implement a requirement. A resource can refer to finance, man-power or even technology.
4. Risk - It is the probability that the requirement might not deliver the expected value. This can be due to various reasons ranging from difficulty in understanding the requirement to implementing the requirement.
5. Dependencies - It is the relationship between requirements. As such, a requirement will require the completion of another requirement for its implementation.
6. Time Sensitivity - Everything comes with an expiry date. There has to be mention of what time the requirement will expire or also if the requirement is seasonal.
7. Stability - It refers to the likelihood of the requirement remaining static.
8. Regulatory/Policy Compliance – Those requirements that must be implemented to meet the regulatory requirements.

Prioritizing requirements is fraught with challenges – prioritization of requirements requires a good combination of both analytical and social skills. Most customers will put their foot down and demand that all their requirements be implemented and the do-it all developers would be willing to provide the customer with any feature he desires. But, in reality there are only so many requirements that can be developed because of various constraints such as time, resources, etc. Hence, prioritization is an important activity that defines what goes into the product and what does not.

Whose responsibility is it to prioritize?

Prioritization of requirements cannot be done by the BA alone based on his understanding of the project scope. He needs to bring in various stakeholders into the process and get their agreement on the priority of requirements. The BA can use any of the prioritization techniques to statistically prioritize the requirements. But, before prioritizing the requirements, the BA needs to understand the dependencies between the requirements. Creating a dependency map helps the cause.

The requirements dependency map

Most requirements are interdependent and you will hardly find any requirement that exists independently. To understand why we need a dependency map – let us take a scenario where you have 8 requirements X,Y,Z,P,Q,R,M,O and N with priorities, on a 5- level scale where 1 is most critical and 5 least critical, as 1,2,1,4,5,1,2,2,3. So, with these priorities it would be logical to begin with requirements X, Z and R.

Now, consider the below dependency chart for the above requirements. The chart clearly brings out the idea that we need to complete X before commencing with Y, although X and Y have the same priority levels. Similarly, we need to complete O before commencing R, although when R has higher priority than O.

Figure 1:Dependency Map - In the above requirements dependency map - requirements on the left are the root requirements. Requirements that are connected to the requirements on the left are dependent on them.

Understanding the requirements dependency is as just as important as prioritization. Without understanding the requirements dependency, it is highly unlikely that you will arrive at the right order of requirements implementation. So, it is a good idea to have the requirements dependency map in place before prioritizing the requirements.

There are numerous prioritization techniques that are used in the market today; we have listed some of the more frequently used techniques below:

1. Decision Analysis – Decision Analysis can be traced back to Bernoulli in the 1700s. It was an academic pursuit until the evolution of computers which has made decision analysis possible. Decision analysis is one of the most widely used decision making techniques, from the stock market to the battle grounds, to choose the from the given alternatives. Decision analysis is popular because it provides a scientific approach to arrive at a decision by breaking down the most complex of problems into small manageable problems. There are different types of decision making techniques. In this article I will only touch upon the decision tree technique (it is easier to understand).

A decision tree is a visual analytical tool. It is a flow-chart like structure with 3 different types of nodes -

1. Decision nodes denoted by squares - at these nodes a decision needs to be made choosing among the different alternatives.
2. Chance nodes denoted by circles - these are also called the event node. It is the event that happens when a decision is made.
3. End nodes denoted by triangles are also known as the terminal nodes. This is the final decision point that is arrived at based on various decisions taken.

Other information such as the value, risk, probability, etc. can be added to aid in the computation of the result.

Figure 2: Decision Tree

In the above decision tree the user traverses from the left to right. The user needs to make a decision at A, B, C and to choose from the alternatives, 1, 2, 3, 4, 5, and 6. Based on the decisions that the user makes the user gets to points @, $, #, %.

Decision tree is popular as value, risk, probability, etc., can be set against each of the alternatives and the same be analyzed statistically. The statistical analysis will provide us with insights to make the best decision possible with the present understanding of requirements.

2. MoSCoW – This prioritization technique was developed by Dai Clegg of Oracle UK Consulting, who later donated the intellectual rights to Dynamic Systems Development Method (DSDM) Consortium. Though the technique has been criticized for its lack of clarity in distinguishing the priority of requirements, it is one of the more widely used techniques for its simplicity and ease of use. The letters of the word MoSCoW stand for Must, Should, Could and Won’t.

Must have (or Minimum Usable Subset) – These are features that must be included before the product can be launched.

Some of the common guidelines for Must haves are as follows:

• Cannot deliver on target date without this data
• Not legal without it (Define it)
• Unsafe without it
• Cannot deliver the Business Case without it

Should haves are features that are not critical for the launch, but are considered to be important and of a high value to the user.

• Important but not vital
• Solution viable without the requirement
• Work around available for the requirement.

Could haves are features that are nice to have and could potentially be included without incurring too much effort or cost.

• Wanted or desirable but less important
• Workaround available for the requirement.
• Less impact if left out

Should and Could are differentiated by the relativity of importance. The ones that have higher business impact are categorized under Should.

Won’t have - are features that have been requested but are explicitly excluded from scope for the planned duration and may be included in a future phase of development.

As a BA, challenge the Must have requirements and try pushing them in any of the other categories. The effort allocation for the Must, Should and Could - should comprise of 60%, 20% and 20% of the total estimated effort.

MoSCoW method works better than the numeric rating system as it is much easier for the stakeholders to rate the requirements as Must, Should, Could or Would.

3. Three-level Scale – When a BA categorizes the requirements in any of the ordering or ranking scale, it is subject to the analyst’s understanding of the business. Many analysts suggest that this method has some drawbacks and advocate methods that have more than one scale.

Covey, Rebecca and Merrill would have never in their wildest dreams have thought that their “The four-quadrant 'Eisenhower Decision Matrix' for importance and urgency”, from their self-help book First things First, would become one of the most widely used prioritization techniques in the IT space.

Figure 3: Eisenhower Decision Matrix – Lower the number, higher the priority of the section.

With the numbering on the different sections of the diagram, the priority of the sections is implicit. Important items have the highest preference, while urgent items have lower preference.

1. High Priority – These requirements are urgent and important. These are requirements that are generally with respect to compliance or contract that cannot be left out. These requirements need to be implemented in the current release and not implementing the same will have some adverse effect on the business.
2. Medium Priority – These requirements are important but not as urgent. Implement these after you implement the high priority items. If you see closely there is a line that splits this quadrant into 2 parts. Implement the items that are on the right side of the line first as they are relatively of higher medium priority.
3. Do these later – These items are urgent but do not have a lot of effect on the business. Hence do it after completing the more important medium priority items. Similar to the medium priority items, this quadrant has also been split into two; the items on the right side have a higher priority relatively to the items on the left.
4. Low Priority – These items are neither important nor are they urgent. Complete the items at your leisure after completing the items in sections 4 and 5 respectively.

The items on the right hand side of the diagonal have higher priority. Start with the bottom-right corner of the high-priority quadrant and work your way up and left.

4. Timeboxing/Budgeting – Timeboxing or fixed budgeting process is used when there are fixed timelines/budgets to achieve the project milestones. Timeboxing is used in projects that are constrained by deadlines where the delivery of the project is as important as the project being delivered on time or being developed within the budget.

This technique is based on the premise that it is more important to have at least the basic product features and release the product on time rather than having all features and launching the product at a later date. Miranda, Program Director, Ericsson Research Canada, in her paper proposes 2 points of estimate – the normal completion effort and the safe completion effort. The normal completion effort is the happy case scenario of requirement being developed while safe completion effort is the estimation based on the worst case scenario.

In Timeboxing, which is the refined version of MoSCoW analysis, the requirements are grouped into small subsets that can be called wholly; these are given relative importance and the time schedule required for implementation. The idea is to move the more important features or Must, Should and Could to earlier phases of implementation to ensure completion of more important features at the time of product launch.

This method is highly used in agile projects as it helps in identifying the more important features and it works very efficiently for iterative approach.

According to BABOK V2, there are 3 approaches that may be used for determining the requirements to include in iteration:

• All In – Include all the requirements necessary for the solution to be developed and then remove/postpone the requirements whose implementation will cause the project to miss the deadline.
• All Out – Exclude all the requirements for a start and then include the ones that can be implemented within the constrained time schedule.
• Selective – Identify the high priority requirements and then add or remove requirements to meet the deadline.

5. Voting – This is the simplest way to prioritize the requirements. When there are too many requirements that need to be categorized into different categories with inputs from different stakeholders, voting is one of the best ways to sort out the prioritization of requirements. I will suggest the voting technique that worked for me in one of the projects I was managing.

In this method we gathered all the stakeholders in a room (others not physically provided were looped in through a call) and each of the stakeholder was given points(say 200, 100, 50 based on the stakeholder’s importance ) to vote on each of the requirement that had to be incorporated. Then we ran through over 400 requirements on which the stakeholders voted. The requirements with the highest points were chosen for implementation in the first iteration.

Care has to be taken while putting out the requirements to vote such that the requirements are grouped in a logical manner and that the stakeholders are voting on a requirement that can be delivered in entirety. The entire process took a day but it worked out really well.

Concluding remarks

• Prioritization is one of the most important stages in the requirements analysis stage. Involve the stakeholders for better categorization and prioritization of requirements.
• Analyze the requirements and understand the effect of different factors listed above on the requirements.
• Choose the requirements prioritization technique that best suits your need and start prioritizing your requirements.
• Challenge the importance of requirements. Lower the priority the better it is.

Business Requirements Document: A High-level Review

Many businesses have a process in place to assist with project management and implementation. One opportunity for improvement involves making reasonable estimates of how big a project is and how much it is going to cost. There are many different names for tools used with this process: business needs specification, requirements specification or, simply, business requirements. Business requirements are the critical activities of an enterprise that must be performed to meet the organizational objective(s) while remaining solution independent.

A business requirements document (BRD) details the business solution for a project including the documentation of customer needs and expectations. If an initiative intends to modify existing (or introduce new) hardware/software, a new BRD should be created. The BRD process can be incorporated within a Six Sigma DMAIC (Define, Measure, Analyze, Improve, Control) culture.

The most common objectives of the BRD are:

• To gain agreement with stakeholders
• To provide a foundation to communicate to a technology service provider what the solution needs to do to satisfy the customer’s and business’ needs
• To provide input into the next phase for this project
• To describe what not how the customer/business needs will be met by the solution

The BRD is important because it is the foundation for all subsequent project deliverables, describing what inputs and outputs are associated with each process function. The process function delivers CTQs (critical to quality). CTQs deliver the voice of customer (VOC). The BRD describes what the system would look like from a business perspective.

The BRD distinguishes between the business solution and the technical solution. When examining the business solution the BRD should answer the question, “What does the business want to do?” For example, the business wants to serve 100 bottles of red wine each night during a three-day conference and the wine must be 57 degrees Fahrenheit when poured. The technical solution should support the business solution. For example, the company would need a wine grotto or refrigeration storage unit capable of holding 300+ bottles operating between 48 and 52 degrees Fahrenheit.

Who Should Be Involved in the Creation of the BRD?

A number of teams and partners should create the BRD:

• Project core team
• Business partner(s)
• Process owner(s) or representatives
• Subject matter experts
• Change/project/product management, quality department and/or IT management as needed or available

Prerequisites for BRD

Prerequisite one for a BRD is the project charter, created during the define phase of a DMAIC project. The BRD provides the opportunity to review the project charter to ensure that the objective, goals, scope, project team, and approvers are accurately reflected.

Prerequisite two is a current environment assessment created during the measure phase. This includes a detailed process map of the current environment highlighting areas that will be changed during the project. Detailed “as is” process maps should include:

• Clearly defined start and end points of the process
• Level two and three process functions
• Defined areas of rework and non-value added steps
• Cycle time, capacity and rework information for each process step as available
• Baseline for each CTQ for the current environment

Prerequisite three is CTQs, identified in either the define or measure phases, and validated with baseline measurements, targets and specifications.

• Current measures: Data that defines and describes current performance – sigma level of the CTQ includes a definition of how the product/service’s characteristic is to be quantified.
• Target/nominal value: What is the aim of the product/service? If there was never any variation in the product/service, this would be the constant value.
• Specification limits: How much variation is the customer willing to tolerate in the delivery of the product or service? Define upper and lower specification limits as required by the customer needs.
• Allowable defect rate: How often are the producers willing to produce a product/service outside the specification limits?

Prerequisite four is the target environment assessment, created in the measure phase, and includes a detailed process map of the target environment including level two functions. When distinguishing between level two or three functions, group the process functions into the following categories:

• People: People are processing information and making decisions [core team designs high-level design/low-level design (HLD/LLD)]
• Systems: Systems is processing information and making decisions
• Systems/people: System is processing information and people are making the decisions
  • Distinguish between employee and customer
  • Distinguish leadership requirement for associate in case decision making authority has to be moved up
• Fishbone: For each process function for impact assessment

Overall Project Details and Best Practices

The BRD appendix can be used to list a number of project details – constraints, assumptions and dependencies, business rules, scope, measurements reporting and other topics critical to the project. Consider the following issues when looking at the overall project:

• Are there any regulatory or geographic constraints (i.e., state law) to consider? If so, these constraints need to be clearly documented in the process detail table of the BRD or in the overall project details section of the appendix.
• What assumptions or dependencies apply?
• What business rules apply?
• Are there any measurements or reporting requirements that apply to the project?

Best Practices

1. Validate scope: review and refine the scope as needed based on a process detail table, identifying any changes to what is in or out of scope now that the requirements have been developed. Complete this prior to obtaining the business partner(s) sign-off and lock down the scope of the project. Any changes to the project after this phase will be handled through a change control process.
2. Create systems impacted document: Create a design-elements diagram for each level two or three process function for impact assessment for:
   • People
   • Process
   • Technology
   • Materials and supplies
   • Facilities
   • Product
   • Machinery and equipment
   • Others as necessary (depending on the organization)
3. Definitions and acronyms: Define any terms not clearly understood by all.

Packaging the BRD

Package the BRD so it has a logical flow and is easy to follow. An example of a high-level list of sections follows:

• Project overview including project charter information, scope, and objectives
• Current environment assessment and systems overview (see additional details below)
• Future process map
• Process detail table
• Overall project business rules and constraints
• Impact assessment (fishbone for process functions)
• Functional requirements (additional details below)
• Data to be held (additional detail available below)
• Schedule and budget
• Terms and definitions
• Approver information
• Team information

Business Partner Sign-off

Business partners should be active participants in the development of the BRD, but a final review and sign-off is also essential.

Additional Details

There are a number of items included in the BRD that require detailed documentation to ensure successful implementation. Following is a high-level overview of the types of detail to consider:

Sample questions for the current environment assessment and systems overview:

• Who is the intended user?
• How many users are there? Are they the same type of user or different?
• What level of computer experience will the users have (or is needed)?
• What is the required security?
• Are there hardware constraints – networked or stand-alone?
• What are the approximate numbers of records required initially plus the anticipated growth?
• What technical support is necessary and available in-house?
• What other systems need to integrate/communicate?
• Backup. Describe the current back-up regime (e.g., tape back-up one/day). How will the new system fit with this? If this is not currently defined then think how much data could be inadvertently lost. For example would it be a major disaster if the last 30 minutes of work was lost, or could yesterday’s/last week’s data be retained?
• Deliverables. What are the expectations – system, help files, documentation, full source code, training, support, etc.? Detail what is essential versus nice. Do not automatically ask for everything unless necessary. If the project manager is to maintain the system make sure he states that he requires the full source code – alternatively if the developer is to maintain the system consider settling for an escrow agreement (where the source is held by an independent third party). Be specific about tools necessary to help. If the developer is unwilling to provide the support necessary find someone else who will.

The functional requirements section should describe “what” the system is to accomplish rather than the “how.” Develop a prioritized list similar to the following:

• A detailed description of the requirement including goals (e.g., produce a report of spend/department/year on demand with the user selecting the department and the financial year required), it is necessary to know how the company defines the financial year.
• How important is this requirement (essential, preferred, nice to have, not essential, etc.)?
• Any known design/implementation issues relating to this requirement?
• Does this requirement interact with other requirements?

Data to be Held: Sample Advice

Describe expected data tables. Examples include customer records, contact details, machine records, etc. Provide as much detail as possible – a customer record might consist of a name, address, telephone number, fax, mobile number, region, business type, number of employees etc. Indicate any unique fields (such as a job number) and show how different tables relate to each other (very important). For example projects are related to customers through a customer number. Each customer can have none, one or many associated projects. Each project relates to one or more jobs. A job can exist independently of a project but will still be associated with a customer. A project will always have only one customer.

It is not usually necessary to define the tables in database terms (e.g., customer number is a long integer) but examples of the data to be held in the fields is useful (e.g., a typical job number might be FH/1234 where FH indicates the department undertaking the job and 1234 is a unique number. In practice a good database designer would then recognize that the “real” job number is actually the 1234 part and the FH is just an associated field). If the maximum size of any field is known – for example, a “Company Name” field is 100 characters – then include this. If there are any table definitions from existing systems then provide these indicating any required changes.

Summary

As with any tool, the BRD can have both benefits and failure modes. Benefits derived from a good BRD include reduced changes during the improve and control phases of DMAIC and reduced time to deployment. Failure modes from a poor BRD means the system developed will not meet business requirements. Creating a successful BRD requires planning and coordination. There are a few best practices that should be followed in this process. The team should hold a dedicated off-site session to complete the BRD with all required resources 100 percent available. Scheduling is the key to success here. As each tool/deliverable is completed within the methodology build the BRD. Allow a one-week deadline to finish action items from the off-site session and hold a final review session two to three hours after completion of action items.

Do a fully-fledged requirement analysis:

i. Have a common project folder structure as per enterprise project management standards (which includes naming convention and versioning) to access the below requirements and analysis documents, important emails archive and inculcate a practice that all future artefacts like daily updates are placed in the common folder by every stakeholders involved in the projects.

ii. Physical Visual Chart showcasing key milestones and project status showing in-progress, parked issues, in-live, and future-live status etc.  on project execution floor – Bay Area.

iii. Stakeholder analysis matrix document to be placed in common project folder to identify key personnel both internal and external for requirements gathering.

iv. Recommended approach is Targeted in-person workshops to understand requirements. Document MOM of the workshops and placed in project folder.

v. Going through the existing reporting to ensure that the stated requirements meet the actual reporting needs of end-user.

vi. Elicitation of requirements as a BRD with targeted sections for Scope, Metrics, Data Elements etc.

1. An ideal BRD with the following sections will be base lined.

a. Scope of work – Inputs and Outputs

b. Business Objective

c. Assumptions/ Limitations

d. Risks

e. Out of Scope

f. Stake Holder’s (Business SME / IT SME.) contact list 

g. Personnel Workflow list to identify key stakeholders critical to the execution to the project. 

h. Reporting and quality assurance

i. Delivery schedule for deadlines and milestones.

j. Sign offs section

k. Ancillary list of artifacts may be packaged with BRD w.r.to BI Projects are 

i. Business Data Elements list.

ii. Business Formulae and Calculation steps for Metrics in Reporting Requirements

iii. Data Dimensions organized by Business Subject Areas & Hierarchies.

iv. Standardization of Business Data Elements List.

v. Business Priority Matrix 

vi. Requirements traceability Matrix to support testing artifacts

vii. Data dictionary or  Glossary of Terms

vii. Walkthrough of BRD & Review.

viii. Place a  Change Log Artifact for BRD and SRD versioning before and after base lining.

ix. Maintain and update a Review Log by both Internal and External stakeholders for BRD and SRD

x. Updating comments in BRD for Base lining and sign-off.

xi. Signed Off BRD will lead to SRD requirements

1. System Requirement Document (SRD) will be prepared after Analysis  by elaborating the BRD in detail by function requirement by describing the granularity of data, metrics calculations for reporting requirements, limitations, reconciliation and open issues.

a. Ancillary list of artifacts that can be packaged along with SRD are;

i. Solution Architecture Diagram

ii. Data Flow Diagram

iii. Dimensions, Measures for reporting requirements, type of visual requirement for reports

iv. Bus Matrix

v. Non – Functional requirements

vi. Data Governance Implementation Documents

vii. Data profiling document to check Availability, Completeness, Consistency and Accuracy.

viii. Data dictionary or Glossary of Terms.

xii. Walkthrough of SRD & Review

xiii. Open Issue Log will be kept updated in parallel with BRD and further.

xiv. Have a SIT/UAT step and UAT sign-off by Business Stakeholders both internal and external.

xv. Pre-go Live testing in Prod environment by Business Analyst.

xvi. Go-Live.

xvii. Follow the prod support work for the live BI reports which are deployed followed by the BI reports which are under deployment.