The danger of split limits and why “proximate cause” is important to understand
A $5mm limit on an insurance policy should mean $5mm right? What if that is broken down further - $3mm first party coverage, $4mm third party coverage, etc. At that point you may be wondering how much coverage do I actually have?!?!
In auto policies it is common to see coverage like 300/100/100. And cyber insurance typically has some sublimits, but take a close look at the major categories of first and third party coverage (plus professional/technology services on a Tech E&O policy).
At Beltex we’re not a fan of policies with splitting major coverage limits in this way, especially when there are a ton of great options with matching limits across the entire policy. In one egregious example, our team recently saw an MSP (IT consultant) Tech E&O (cyber + E&O) policy with $7mm technology services coverage, but only $1mm in first party cyber (i.e. an event directly impacting the MSP.)
Example coverage
A recent policy Beltex reviewed looked similar to this:
$3mm
$3mm
$1mm
$1mm
Errors and Omissions Liability
Cyber and Privacy Security Liability
Security Breach Remediation
Cyber Extortion
In the event of a ransomware attack…do you have $3mm or $1mm coverage?!?
Here is your new insurance nerd term for the week: proximate cause. According to Cornell Law School “The term ‘proximate cause’ means a cause which in a direct sequence [unbroken by any superseding cause,] produces the [event] complained of and without which such [event] would not have happened.”
What does that mean in plain language? It is the start of an incident or claim. Let’s use a famous MSP industry example. A cloud hosted RMM (management tool) had a security vulnerability and attackers gained access. The proximate cause is a first party cyber claim, because at the start, the attackers breached the MSP’s system. They have access to the client systems theoretically but that was not the root cause.
Why does it really matter? In the real world?
For 90% of cyber claims, it probably will not. The majority of claims come up because of contractual disputes, services failures, etc. Additionally, this is not a clear cut rule. Tiny claims are typically paid out even if the carrier disagrees with the coverage. And courts in different states take different approaches.
However in the example above where an MSP tool is used as the attack vector, this can result in limited or sometimes no coverage. And unfortunately, those attacks tend to be the most substantial. The good news is that there is a simple resolution that likely does not cost anything additional.
The majority of carriers will offer matching limits. When the Beltex team sees split limits, it is often from non-cyber specialty carriers, startup policies, or uneducated brokers. Getting a policy with matching limits is a simple task for a cyber-savvy agent.
Don’t just take our word for it:
The following articles discuss this issue in some way, and fall on both sides of the argument. This is less of a reference section, and intended to provide more insight and context for aspiring insurance nerds.
https://www.sedgwick.com/blog/property-insurance-exclusions-lessons-from-recent-high-profile-incidents/ (UK events but the insurance concepts are applicable to the US)