Contents Close
You are currently not signed in. Any products you have purchased will not be available until you Sign In.
For a personalized walk-through of IRMI Online, Request a Demo.

IRMI Update

Risk Management & Insurance Commentary, Tips, and Tactics
January 25, 2017 | Issue 374 | ISSN: 1530-7948

In This Issue


If there were previously any risk professionals who believed that the only organizations with significant cyber-risks are retailers, medical facilities, and others with personally identifiable information (PII) or medical records, two recent events and a recent trend should have shaken this belief. The first event, of course, was the hacking of the Democratic National Committee e-mails and the resultant fallout from it. The second was the discovery that Chinese citizens hacked into networks of US law firms working on mergers and used the information to engage in insider trading. The trend is the increased frequency of manipulating people into transferring funds by wire to the perpetrator, often by posing as an executive of the company.

In none of these cases was PII targeted, and in all of them, social engineering is the exploit used to gain access to the systems. "Social engineering" is the act of deceiving people to cause them to divulge confidential information—such as passwords—or to take an unwise action—such as wiring funds to a criminal. This is often achieved with phishing attacks.

A key aspect of phishing is that technology safeguards are largely ineffective in combatting them. If, for example, you divulge your password, you are giving the criminal access to your account, and there are few technologies that will stop them. The IT department cannot be relied on to stop this from occurring. Thus, an organization's employees become the weak links in its cyber-security program, and the primary way to mitigate the risk is training employees to recognize and ignore phishing attempts. There are quality online training programs available to accomplish this training, and every organization, large or small, should consider investing in one.

What do you think? Have you used any online cyber-security training programs to raise awareness at your company (or your client's companies)? Were they effective? Share your thoughts with other readers in the IRMI LinkedIn group.

"Coverage for Property Losses Caused by a Cyber Attack" is one of the topics to be covered at the 2017 IRMI Energy Risk & Insurance Conference. Direct property loss and business interruption are cyber-exposures facing many companies that are likely not getting the attention they should. Check out the full array of topics, and consider joining us in Dallas on March 6–8 for this conference.

All the best,


Jack P. Gibson, CPCU, CRIS, ARM
President & CEO | IRMI

Breaking Coverage Case

Imprecise ROR Letter Doesn't Cut It

Due to imprecise reservation of rights (ROR) letters, the South Carolina Supreme Court found that a commercial general liability (CGL) insurer waived the bulk of its coverage defenses for a $14 million judgment in a construction defect lawsuit. In Harleysville Grp. Ins. v. Heritage Cmtys., Inc., 2017 S.C. LEXIS 8 (S.C. Jan. 11, 2017), two condominium towers built by a general contractor experienced significant water-intrusion problems shortly after completion. After the insured general contractor was sued, the insurer agreed to defend and sent ROR letters. A significant judgment was later entered against the insured, and the insurer filed a lawsuit contesting coverage.

The insurer attempted to argue that the cost of repairing faulty workmanship was not covered under CGL polices. However, the insured argued that the ROR letters were insufficient to allow the insurer to contest coverage. Although the ROR letters quoted 10 pages from the policy itself, the insurer did not explain its reliance upon any of the quoted language as it related to coverage for construction defects.

The court found that the insurer waived its right to contest coverage due to its imprecise "cut-and-paste" ROR letters. According to the court, the ROR did not expressly put the general contractor on notice that the insurer intended to contest whether any damages resulted from acts meeting the definition of occurrence, whether any damages occurred during the applicable policy periods, and what damages were attributable to noncovered faulty workmanship. Moreover, the ROR failed to inform the general contractor that a conflict of interest may have existed regarding the defense. Due to the insufficient ROR, the court ruled that the insurer waived its right to contest coverage.

Editor's Note: This decision demonstrates the importance of detailed ROR letters. Like South Carolina, most states require the insurer to provide a detailed basis for each potential denial of coverage -- it is not enough to merely copy and paste the policy language.

LEARN MORE: To see the complete analysis and additional commentary on this case, log in to Insurance Case Finder (ICF). If you do not currently subscribe, learn the value ICF offers by watching this short video.

What's New in Your IRMI Library

Exposures Created by the Internet of Things

Few organizations are immune to the risks associated with the Internet and electronic commerce. Nearly all businesses have access to the Internet, operate an e-mail system, and maintain their own websites. As these web-based activities grow in diversity, so also do the forms of malicious intrusions and other types of cyber-attacks, thus giving rise to a variety of new liability and property loss exposures not covered by a standard general liability policy. To keep pace with the ever-changing market and to reflect changes in new insurance agreements, common coverage offerings, and noteworthy exclusions, we have updated the Cyber and Privacy Loss Exposures and the Cyber and Privacy Liability Insurance Coverage sections in Professional Liability Insurance. In addition, we added a new discussion on exposures created by the Internet of Things (IoT). The IoT is a term that collectively refers to everyday items that are connected to the Internet in some way, such as home security systems and smart phones.

You can find both updates in the Cyber and Privacy section of Professional Liability Insurance. These revisions reflect important changes in a number of coverages and emerging cyber and privacy liability exposures. If you subscribe to Professional Liability Insurance, read the revised analysis at the appropriate link below.

For summaries of other new and updated information in your IRMI library, go to What's New on IRMI Online or What's New in Vertafore ReferenceConnect.

Recent Articles on

New Expert Commentary

There are 1,900+ risk management and insurance articles on Below, you'll find summaries of some recent additions with links to the articles.

IRMI Featured Publication

Additional Insured Status: Are You Using Outdated Information?

The Additional Insured Book examines approaches, problems, and case law associated with additional insured endorsements for property and liability insurance. Make sure you have the latest suggestions for modifying coverage to correspond with contractual risk transfers and a better understanding of the troublesome areas of manuscript or insurer-drafted additional insured endorsements. With more than 300 case citations, this resource is relied upon by risk, legal, claims, and underwriting professionals to determine how the endorsements apply to specific situations. See the details and get access to this IRMI best seller today.


Social Media

User ID: Subscriber Status:Free