Paragon Blog

admin

London and European Market Status Report March 2021

Posted by | Article | No Comments

With the 1st January renewals behind us, we would like to take the opportunity to reflect and share our expectations for the performance of the London and European markets for this coming year

The market has entered 2021 in a strong position. While we expect Professional Liability rates to continue to rise, it will be at a slower pace than in 2020. The market will continue to differentiate between Insureds, and therefore those with healthier claims records and robust risk management protocols will be treated more favourably.

There is no doubt that 2020 presented us all with unique personal and industry challenges, the likes of which we had not witnessed before. In recent years, the Professional Liability market has experienced several loss-making years, some dislocation within insurers and the movement of underwriting personnel. However, insurers have largely corrected their underwriting portfolios, through a process of re-underwriting, readjusting their capacity commitments and increasing pricing. All these remedial developments have enabled the new and some existing Professional Liability carriers to go into 2021 in a far stronger position than for many years.

Large law firms that purchase substantial towers of insurance coverage, may continue to experience demands for double- digit rate increases, as the excess layer markets attempt to recoup from some severe losses. However, new capacity has already entered the market, both in the company and Lloyd’s sectors, and many Lloyd’s syndicates have increased their anticipated Professional Liability underwriting for 2021. This will inevitably create competition and have some dampening effect on these rate increases.

Large Architects and Engineers with less than stellar claims records will also likely see rate increases on a primary basis but again this will be tempered by new entrants into the market.

Unlike other markets, accounts will continue to be differentiated depending on a number of factors, such as loss record, how they navigated the COVID-19 challenges, their preparations for a potential economic downturn, and finally culture and adherence to strong risk management policies.

COVID-19 risks will remain a challenge for insurers and the market will grapple with respect to the effect it has had both on clients and the greater economy. We are happy to assist brokers and their clients/prospects to best position themselves to respond to underwriters’ concerns.

In summary, there is a robust market for US Professional Liability business, with plentiful capacity for individual risks across multiple layers of insurance. We are confident that our team can negotiate vigorously to assist our retail partners in mitigating the increased cost of Professional Liability insurance.

As has always been the case, advanced preparation and planning are the key factors to maximise the best response from the London market. Working from home has been remarkably efficient, but has at times increased the time it takes to get responses.

Our recommendation is to start prospecting for the renewal process with clients a little earlier than in the past and we are here to help manage expectations in this reduced face-to-face environment

MANAGEMENT LIABILITY (ML) / EMPLOYMENT PRACTICES LIABILITY (EPL)

Rates will continue to increase significantly for professional services firms, as claims deteriorate and the domestic market continues to exit the primary layers. We witnessed renewal increases of 30% to 40% in 2020 and anticipate similar increases being sought this year. Beazley and Markel remain the key primary markets globally for US fi.We do, however, expect Arcadia, which has offices in Bermuda and Dublin, to begin providing welcome alternative primary capacity.

CYBER

The pandemic has proved once and for all that hackers are less discerning about whom they attack and no amount of risk management will prevent a determined hacker. Sophisticated hackers are able to shut down a firm’s system and keep it closed until a ransom is paid. The most troubling aspect is that there is often no logic as to why hackers attack any given Insured.

Like the rest of the Cyber market, rates are increasing rapidly, in the 20% to 25% range, capacity is reducing and wordings are being reviewed. Professional service firms were once considered a less lucrative target for hackers, but this attitude has changed. Losses are increasing exponentially both on a frequency and a severity basis, and purchasing a cyber policy should no longer be considered an additional option, but rather a financial protection necessity.

The market is changing quickly with some insurers exiting but at the same time new insurers entering the market. Each renewal will be a challenge but we are confident that sufficient capacity exists.

Insurers will differentiate much more strongly based on each client’s security infrastructure and will be interested not only in a client’s cyber defense strategy to keep hackers out of a system but also their internal risk management controls and procedures if they do manage to access systems.

SILENT CYBER EXPOSURES

We are in close consultation with the London and European markets as to how they want to handle so called ‘Silent Cyber Risks’. The London market hopes to lead the way in clarifying the extent to which Professional Liability policies provide Cyber coverage. We will of course resist any effort to diminish the extent of any Professional Liability cover in existing policies, but understand there is a need to clarify certain first-party expenses, which may not appropriately belong under a Professional Liability policy. We will continue to ensure that we maximise the protection available to our clients, whilst the markets seek to clarify their position in this regard.

CLAIMS

Professional Liability

At Paragon, we collected over $65 million in claims for our Professional Liability clients in 2020, which was a 40% increase from the prior year. The incurred claims figure is likely to be greater than $100 million, when collections are combined with current reserves, as we believe underwriters are holding for claims not yet crystalised. We are aware anecdotally that there has been an increase in severe individual claims settlements across both our Lawyers and A&E clients, with several in excess of $100 million affecting Law firms.

ML/EPL

These classes have experienced significant claims, as the #Metoo movement has given plaintiff a much higher degree of confidence to pursue large settlements. As a result, settlement amounts have increased in multiples. Many professional services firms have suffered huge losses, be they gender-related or one-off cases.

Cyber

Since the beginning of the pandemic, we have seen a significant uptick in Ransomware claims. This has affected professional service firms as much as commercial firms. On our account alone, we are aware of five losses that on an individual basis have settled for in excess of $2 million in the past six months. The move to Working from Home and the increased use of tablets and smart phones continues to test the most secure IT systems and provide greater opportunities for hackers.

NEW CAPACITY SUMMARY

In what is viewed as a positive rating environment, Lloyd’s has announced an overall capacity increase of 8.9% to approximately $48 billion, with most syndicates being granted an increase, some of which will be allocated to US Professional Liability business. This means that most Lloyd’s syndicates have the approval of Lloyd’s and their own syndicate management to underwrite more business, on both a new and a renewal basis.

Mosaic (Lloyd’s)

Later this year, hopefully at the beginning of the second quarter, Mark Wheeler, previously CEO of Ironshore Europe and subsequently Hamilton Managing Agency, will return to the Lloyd’s market with a new Syndicate 1609, Mosaic. While we have not seen his business plan, we expect him to provide further US Professional Liability capacity and to lead risks in specialist sectors.

Interestingly, several of the well-known Professional Liability senior underwriting executives from Hamilton have also recently resigned. We anticipate that they are likely to be joining Mosaic in due course.

Convex (London Company)

Following her decade-long tenure at Beazley underwriting Law firms and Architects and Engineers Professional Liability, Jana Ratnajothy started at Convex in January 2021. This London-based organisation was recently formed by a London market veteran, Stephen Catlin, and Jana’s role will be Head of the Professional Liability Division, focusing on this class of risk.

Whilst this is a very new role for Jana, she has developed a business plan and the recruitment to build her Professional Liability underwriting team is progressing well. Jana is actively underwriting and is now available for prospect meetings.

Arcadian (Bermuda Company)

After many years at Markel, Joey O’Dea and Sally Gibson resigned in the 4th quarter of 2020 and, as of January 2021, have started at Arcadian. This is a new MGA start-up using Third Point Reinsurance Company and will operate out of Dublin and Bermuda. We understand that Joey and Sally will have a similar appetite for the risks they previously wrote at Markel and are available to meet and underwrite prospective clients.

This new capacity entering the market will not be burdened by claims legacy, and whilst they will be wanting to ride the premium upswing of the hardened market, they will not be under the same internal management pressure to be so aggressive in their rate aspirations. We will be looking for every competitive advantage from the new capacity in order to counter the more aggressive rate ambitions of the incumbent carriers.

PARAGON’S RECOMMENDED BROKING STRATEGY FOR 2021

On occasion, we have observed insurers attempting to underwrite generically, using their broad opinion of a portfolio of business. This is lazy, indiscriminate underwriting. Working with our retail partners, we will challenge this approach relentlessly.

  • The key will be even earlier planning and preparation, focusing on differentiating specific risks. We will continue to help our retailers counsel their clients and prospects to ensure they show themselves in the best light possible.
  • We will advocate for these risks to ensure the markets recognise and acknowledge these factors in their terms and conditions.
  • In a difficult market, we will continue to recommend insurer/client meetings, albeit over Zoom/WebEx. These meetings have worked effectively and continue to provide clients with an opportunity to positively communicate messages not easily conveyed within an application form.

CONCLUSION

The London and European Professional Liability insurance environment will continue to be challenging for US risks in 2021. However, new underwriting appetites are evolving, alongside existing incumbent markets. We will continue to assist retailers and their clients to navigate this unique marketplace, as it plays an important global role as an alternative and/or partner to the US markets.

FOR MORE INFORMATION, PLEASE CONTACT:

Nick Lewin

Partner & Director

E:  nlewin@paragonbrokers.com

D:  +44 (0)207 280 8231

M: +44 (0)797 980 4749

Long term supervision of remote workers in law firms

Posted by | Article | No Comments

David Green, co-founder of The Strategic Partner, and preferred risk management consultant of Paragon, spends a significant amount of time assisting law firms with strategic development and has shared the following white paper highlighting some recent concerns and how to manage them.

Introduction

With law firms working remotely during the Covid 19 pandemic, remote working is no longer a new way of working with many, if not most firms, now set up for this.  For some, it has been an innovative and positive experience, but for others, they cannot wait to get back to working in an office as they miss the social aspect of a workplace and the structure this can bring to the working day.

There is no doubt that the industry is split on whether long-term remote working is sustainable personally and professionally.  Still, one thing that is for sure, large sections of the industry will be changed forever with a mix of remote and office working.

Firms that had been reluctant to have employees working from home now realise they can trust employees to get their work done.  They have come to realise that employees have adjusted well to the new working environment.  This has allowed some firms to review their office space requirements and consider downsizing their offices, with the welcome costs savings this brings.

The experience has given new light for solicitors and fee earners who have previously not adopted working remotely.  For many, they wish to adopt the remote working regime into working life moving forward.  For those law firms that will be embracing long-term remote working, they must devise new or updated policies and procedures covering a range of areas to ensure their staff, data and clients are protected, and there is full compliance with the requirements of the regulator.

The Detail and Guidance

There are several elements that a firm should think about, and below we list and discuss some of these areas which we hope provides useful guidance:

  1. GDPR and confidentiality

Firms must have procedures and policies in place to protect the confidentiality of the client’s data.  This could include employees mostly working paperless and firms insisting that employees should lock screens when away from their PC/laptops.  Further, firms could ensure employees store files away safely at home when not being used and proper records maintained by the firm for file/data removal and return by way of a register.

It is the firm’s responsibility to assess the environment of the individual or suitability and provide the necessary equipment to work remotely, whether that is PC equipment or office furniture.

Firms that have not provided PC equipment to their staff, allowing individuals to work from their own PC’s and laptops, are putting client data at risk, particularly where multiple people in the household use the PC.  Whilst a firm may well provide secure access into the firm’s systems for convenience, many systems will automatically log in, which poses a risk.  A firm cannot very well ask a member of staff to disable local saving on their own PC, which means that the moment data is saved locally, the firm is no longer in control of that client’s data.

Protection and management of a firm’s and client’s data have to be at the forefront of a firm’s remote working considerations.  Whilst most firms have enabled staff to have some remote working capabilities by allowing emails to sit on personal devices, this has been controllable as data can be deleted remotely or access denied.  This is not the same for information and files stored remotely.

A firm cannot put the same levels of control around physical data and equipment as they would in the office, but the obligation to protect this does not change, and the loss of data is certainly reportable to the client.  A serious data breach is reportable to the SRA, as would be a breach of confidentiality.

Suppose a firm adopts remote working and shifts theirs and their client’s data to multiple locations.  In that case, they must have firm policies in place alongside training and monitoring to ensure these policies are being adhered to, or they put their firm and their clients at risk.

  1. Daily guidance and Supervision

Next on the list has to be the supervision of staff which covers a whole range of areas to include but not limited to: –

  • Performance management
  • Risk Assessment
  • Compliance and monitoring
  • Formal training
  • Informal training
  • Case guidance
  • 1-2-1’s
  • Knowledge sharing
  • Case allocation (see below)
  • General advice (see below)
  • Inclusion (see below)
  • Auditing (see below)
  • Use of system
  • Meetings
  • Access to support
  • Communication methods

There is a lot for firms to consider.  A remote working policy needs to consider each of the above areas that occur more naturally in an office environment but are unnatural and do not lend themselves to remote working.

Open lines of communication are essential for successful remote working.  It has to be remembered that communication is two-way, and not everyone is an effective communicator.  Still, to sustain long term remote working and inclusion, they have to be, and for those whom it does not come naturally, they need a structure.

Employees must be supervised – SRA Code of Conduct for Firms – Codes 2 and 4 set out the requirements for firms.  Failure to develop robust policies and then document and evidence supervision could expose the firm to criticism from the regulator.

  1. Regular contact and communication with the office

With the fundamentals established (confidentiality and supervision), a firm is then ready to allow long term remote working and with that comes the responsibility to their employees.

The firm should ensure that the employee has regular contact with the office and the supervisor to maintain communication as already detailed.  This will involve a range of requirements, such as senior staff reviewing files and matters and having meetings and discussions regarding case management.u

Firms can ensure effective demonstration of the supervision of files and fee earners through a register showing that adequate supervision is provided at all levels and maintaining and keeping up to date the individuals training record.

Importantly, individuals need to be included.  It is very easy for an individual or supervisor to overlook or cancel meetings, but this is a failing.  It is more essential than ever to ensure regular touchpoints between staff and supervisors occur to air issues or just touch base.

Firms need to look at their overall performance management programme and adjust this for home workers. They also need to consider inclusion and ensure that a schedule of meetings are clear and attendance is compulsory.

It is also recommended that appropriate time in the office is a requirement. This might only need to be a day or two a month, but that engagement should be encouraged if not enforced.   

  1. Health and Safety

Firms have a duty to comply with the Health and Safety Regulations.  As soon as you extend someone’s home or home office to the working environment, you need to ensure that the individual is protected and the regulations are complied with.

There are basics to consider, such as the workstation itself. Dining room tables and chairs are not always ergonomic, and firms who allow or knowingly allow employees to work with inappropriate furniture risk potential claims against them.

Wherever possible, firms need to provide equipment or a budget to obtain equipment and ensure it is being used effectively.

The physical elements of health and safety are much easier to cope with and deal with, but the psychological impact is certainly not as easy to see. When you are not working with a colleague day-to-day, it is more difficult to pick up on their mental health. A person walking into the office upset or angry is easy to see; however, person at home behind a PC can become invisible, as can their emotions.

It is not as easy to tell when someone is struggling at home, be that on a personal or professional level, and catching this too late can lead to absence, complaints and negligence. Firms must encourage individuals to speak up when they are having issues, but more importantly, firms need to have systems to identify and manage mental health issues when and if they arise.

  1. Suitability to work with limited supervision.

Be ready to say no! Remote working is not a right (unless your firm has decided to abandon physical premises). Remote working may not always be possible.  The physical environment might be wrong (people in house shares, for example, with no private space), but far and above the other reasons is the ability of the individual and their need for monitoring and supervision.

It is a fact that not every role can be effective remotely, even in a law firm.  Every person in a business must add value, as should every role.  If remote working deteriorates the person’s impact or the role, then remote working is not appropriate and needs to be refused.  In scenarios such as this, the needs of the firm and the role must outweigh the needs of the individual unless a sensible and allowable workaround can be achieved.

An employee should essentially be able to work with limited but necessary supervision.  This would mean junior levels of staff who require day-to-day guidance and support with work and tasks would not wholly be able to work remotely unless the firm had procedures and policies in place to ensure adequate supervision was provided and maintained at some level.

This is a tricky topic for some, but firms must remember that they have a duty to develop and supervise their staff.  Failure to do so could cause longer-term damage to a person’s career, particularly if errors, or worse, negligence arises.

If remote working does not fit the role or the experience, be prepared to refuse the request.

  1. Access and presence

Although you and your firm may have moved on and accepted remote working as part of your culture, your clients might not.  Your firm has probably been present within your local or business community for some time, and your clients will be used to your presence, ease of access to your office and staff.

Moving some of your staff remotely and potentially changing your office requirements might impact your clients, and you need to ensure that the action you take does not cause a potential loss of business.

This is certainly more relevant for firms looking to leave an area or relocating.  Your marketing team may have to work a little harder to maintain client confidence.

Linked to this is, of course, ensuring that your fee earners remain available for meetings.  Not everyone is happy to meet via video and prefer a meeting in person.  Remote workers need to be alive to this and not try and convince people into a meeting format they are not comfortable with.

  1. New instructions

It’s important to mention new instructions and how these are processed and monitored. Most law firms will encourage their fee earners to build relationships with clients, which will often lead to direct contact from clients.

Any direct relationship does pose a risk to firms as when in the office, there is more awareness of the work coming into the firm, even when it’s directly between the client and fee earner. However, when a fee earner is at home, the risk of a file coming into the firm that might exceed the individual’s experience or capacity, or that of the firm, increases.

Whilst it might be the case that visibility is provided through a case management system, the detail may be lacking.  Firms are well-advised to ensure a robust process is in place, built to capture, process and accept new business to ensure that supervisors can understand the work coming into the firm and approve it.

Conclusion

For many, remote working is a reality.  As the successful roll-out of the vaccination programme and the prospect of lockdowns ending becomes more of a reality, firms must start to formalise their future plans so that their staff and clients know what is to be expected.

This comes hand in hand with a review of policies and procedures. Moving forward, firms should have a remote working policy in place to provide detailed guidance for employees. This will ensure that both the employee and the firm know and understand what is expected from each other to avoid ambiguity.

Remote working will be a new way of working moving forward.  It should be embraced by firms who are prepared by ensuring that policies and procedures are in place.  The ‘hybrid’ way of working can boost productivity in a firm and allow employees to enjoy a good work-life balance.

If you have any further questions in regard to the above, Paragon, The Strategic Partner or the firm’s approach to risk management more generally, please get in touch using the details below

CONTACT US

For more information on the changing market, your firms’ PII renewal or to organise a meeting, please contact:

Ryan Senior

E rsenior@paragonbrokers.com

T +44 (0)20 7280 8254

M +44 (0)7827 575 652

Piers Winton

E pwinton@paragonbrokers.com

T +44 (0)20 7280 8224

M +44 (0)7787 375378

 

This article is published without responsibility on the part of the author or publishers for any loss occasioned by any person acting or refraining from action as a result of any views expressed in the article. Specific risk management advice requires detailed knowledge and analysis of firm and practice area facts relating to the risk. The information included in this article cannot and does not attempt to satisfy this requirement for any of its readers

Cyber insurance market update…..and six top tips

Posted by | News | No Comments

Cyber-attacks are never out of the press these days. And whilst these stories were previously confined to the insurance or IT publications, the mainstream media now heavily report these matters as more and more companies find themselves the target of hackers. The coronavirus pandemic has also brought an increase in the frequency and severity of ransom demands, as well as further dislocation in the cyber insurance market.

INCREASED FREQUENCY OF RANSOM DEMANDS:

  • Increased number of hackers and a heightened sophistication of hackers operating, including “hacking as a service” whereby those with the knowledge and means to do so “sell” their services to clients.
  • The increase in successful ransom attacks encourages the hackers to launch further attacks and be bolder with their targets.
  • The pandemic has exponentially increased the number of individuals working remotely. This significantly increases a networks “surface” and potential vulnerabilities in the network.
  • Significant volumes of emails flowing in and out of any organization will create an increased vulnerability of an attack. Sectors who rely heavily on email to conduct business (e.g. law firms) are at an even greater risk of attack.
  • For some businesses, the need and desire to quickly establish remote working capabilities for their staff in Q1 2020 may have come at the cost of network security.

INCREASED SEVERITY OF RANSOM DEMANDS:

  • The “spray and pray” tactics of yesteryear did not differentiate their targets. A hacker would attack as many targets as possible, hoping someone would “bite”. Ransom demands were small ($5,000-$10,000) and the same for all targets.
  • Hackers now operate in a far more targeted way – they know who they are attacking, their financial means and (in one case we are aware of) the limit of their cyber insurance policy (the hacker was able to view the insured’s cyber policy details before bringing their network down).
  • It is no longer just about the data that an organization is holding, but also about their reliance on their network to do business. Historically we have seen many ransom attacks purely encrypting the network and providing the decryption keys once their demands are met. Now a new trend has emerged where hackers will look to exfiltrate the data as well as encrypt the network – threatening to post this data on the dark web if the ransom demand is not met. So, if your business is reliant on data or an IT network, or in many cases both, you are of interest to cyber hackers.
  • We understand the largest ransom demand paid by insurers is circa $40 million. We have seen ransom demands against our own clients running into the millions of dollars and this does not take into account the additional first party expenses, business interruption costs and extra expenses that are incurred during and post the ransom event.

What can firms do to protect themselves? There is no such thing as 100% secure when it comes to cyber security. The recent SolarWinds & Microsoft Exchange Server breaches demonstrates that a well-resourced hacker can hack any system, including the US government. However, there are some core cyber risk management tools that every organization should consider.

  1. Email controls & security – first line of defense against ransomware events. Use of an email filtering gateway, DKIM, SPF and DMARC will reduce (but not eliminate) the threat posed hackers.
  2. Multi-Factor Authentication (MFA), especially for all remote access, critical applications, back-ups and privileged accounts.
  3. Utilize an endpoint detection and response tool – in the current environment, endpoint protection alone is no longer good enough. Insurers will want to see firms use endpoint detection and response tools before offering terms.
  4. Secure back-ups – increasingly back-ups are also encrypted by the hackers. Secure back-ups are essential – segregated from the network, offline, backed up on to tapes, access via MFA. And test the back-ups frequently.
  5. Training – one of the weak links in most companies’ defense to hackers is their people. So, train and test all people with connectivity to the network in information security awareness, especially phishing threats running regular phishing campaigns. Share results. Give feedback. And continue to train/educate your people.
  6. Maintain good cyber security hygiene – no unsupported software/systems within the network, regular patching, monitoring and logging of access and suspicious activity, have separate credentials for privileged access, limit local administration rights access and employ a strong password policy, with an enhanced version for employees with administration rights.

When it comes to cyber insurance, subject to the terms and conditions of your policy, the ransom payment can be covered. More importantly, the IT/forensics vendor and specialized extortion vendor, in some cases, that comes with the policy will be able to provide support to the firm. They can:

  • Make efforts to assess whether the extortionist has access to what they say they do.
  • Make efforts to assess backups (or other control) in place to understand if the affected network can be restored via backups with minimal disruption to the business, thus not having to pay the ransom.
  • Communicate with the extortionist to try to negotiate the demand down and to determine whether the decryption key is likely to work – vendors often deal with the same hacking group on a daily basis, so become acquainted with their tactics.
  • Make efforts to determine whether the payment is being sent to a sanctioned territory or actor, a requirement under OFAC.
  • Make the payment of the final negotiated demand via cryptocurrency to preserve the firm’s anonymity in the event it was not a targeted attack. The vendor typically has access to cryptocurrency accounts which can help get payment made quickly (these events have very short fuses).

The cyber market is hardening at rapid pace. However, for risks that can demonstrate strong cyber security controls there is still a lot of capacity available, albeit at increased rates (20-50%) and sometimes increased retentions. If firms cannot demonstrate strong controls then a combination of higher premium, increased retentions, sub limits, no ransomware cover, lower capacity offered and, in some cases, declinations from insurers (renewal and new markets) should be expected. Paragon has a team of expert cyber insurance professionals who can help insureds through the renewal process and obtain the best terms and coverage available from the market.

FOR MORE INFORMATION, PLEASE CONTACT:

James Noon

Senior Vice President

E:  jnoon@paragonbrokers.com D:  +44 (0)207 280 8242

M: +44 (0)771 867 0599

Copyright ©2021 Paragon International Insurance Brokers Ltd is authorised and regulated by the Financial Conduct Authority.Registered in England & Wales, Company No: 03215272. VAT Registration No: 685151130
Paragon Brokers (Bermuda) Ltd is authorised & regulated by the Bermuda Monetary Authority.Registered in Bermuda, Company No: 33838.