More on Deductibles and their Wily Ways

The humble deductible: broadly understood and often ignored. But there’s actually a a surprising number of levers one can pull to customize them. Whether you’re looking to reduce cost by taking on more risk, or looking for certainty in your budget outlays, there may be opportunity in reviewing your deductible structure. Below are just a few examples.

  1. Deductibles and Retentions are Different but Cannot be Assumed

Point zero here is to acknowledge a technical difference between a “Deductible” and “Self-Insured Retention” (SIR). However, the industry is inconsistent in applying this terminology so you should NEVER assume your obligations based solely on the label. For simplicity, the term “Deductible” is used here in a general manner.

  1. “Loss Only” Deductibles (aka First Dollar Defense)

A traditional deductible applies any time a claim is made. However, for liability policies, we can have a “Loss Only” deductible. This exempts defense costs from the deductible and applies it only when an award or similar payment is made; this is often known as “First Dollar Defense”. Since defense costs can comprise the entirety of a claim, this type of deductible can be hugely beneficial.

Though rare, this is something worth exploring on any professional liability policy, especially one that assesses separate deductibles for individual claimants. However, you can still find these with some regularity in places such as D&O and Cyber policies.

Alternately, removing this type of deductible could be a way to save premium dollars – if your policy already considers as “Loss Only” deductible, there’s potential to lower policy cost by moving to the traditional structure.

  1. Aggregate Deductibles

Aggregate deductibles are exactly what they sound like – a cap on the amount of deductible dollars over the course of the policy period. These are common in property policies, especially those with a geographic concentration of CAT exposed properties which could all theoretically be damaged by the same event. Aggregate deductibles are seen in liability policies as well, usually as part of a quasi-self-insurance large deductible program. Aggregate deductibles are negotiable, but often start at 3x the underlying (e.g., if you have a $100K deductible expect an aggregate to be no less than $300K aggregate).

These aggregate deductibles can be exceedingly helpful as they can contain an insured’s deductible exposure from essentially infinite (as one can have any number of claims under, say, $500,000) to a specific dollar amount that can then be funded.

Because of this, aggregate deductibles can make moving to a voluntary high deductible program much more palatable and a great “first step” toward self-insurance. A side benefit of this is that having an aggregate (especially one fully funded) is a great way to get finance partners and jurisdictional authorities on board with an otherwise non-compliant high deductible program.

Note that when putting money aside like this for liability cover, one also needs to fund deductible amounts for incidents reported under prior policy periods as typically those are subject to that prior policy”s terms, including any deductibles/aggregates therein.

  1. Deductibles that Reduce Limits

Be very aware that coverage varies on whether payments under the deductible count toward the policy limit. By this I mean a policy that has a $1M limit with a $100K deductible may only obligate the carrier to pay $900K (since the $100K deductible is considered part of the limit).

While all policy forms vary, the “rule of thumb” that for professional liability policies you should assume the deductible is part of the limit, while with General Liability it typically is not (nb: Surplus Lines GL carriers love to sneak this in). For other liability cover, such as D&O and EPLI, it’s a crapshoot.

So consider this when comparing competing options; a quote that’s more competitive may actually be offering a functionally lower limit of coverage. This is especially easy to miss on policies with relatively low deductibles ($50K or under) as the premium impact from such a condition is likely to not be so significant as to make the discrepancy obvious.

    1. Reductions for Mediation, Arbitration, etc.

Unfortunately this particular lever isn’t likely to result in any change to cost, regardless of which way it’s pulled, it’s still worth noting that some carriers will reduce the deductible (usually half) in cases such as when a claim is settled via mediation/arbitration rather than going to court. The obvious goal here is to reduce claim expenses, so consider this a “carrot” to the hammer clause‘s “stick”. Do note these reductions tend to cap out fairly low, commonly at $25,000.

Percent Deductible or a Fraction of Coverage?

The most common case of percent deductibles is in Catastrophe (CAT) property coverage – carriers mandate a deductible be a percentage of insured value (with a minimum) rather than a flat dollar amount. Yet two options that look the same could be anything but.

A primary difference lies in how or to which figure the percentage is applied. If you have a combined 100M in coverage, with 70M of that building and 30M contents, is your (e.g.) 5% deductible applied to 30M or 100M? That’s a question with three and a half million dollars of relevance.

Now imagine that same claim happens on a multi-location policy with a 500M limit – does our deductible then apply to that aggregate value? Yikes.

The preferred method is to apply the deductible to only the specific coverage part(s) triggered by the loss . You’ll often see policies refer to this as a “per coverage unit” deductible; the coverage units typically being Building, Contents, and Business Income/Extra Expense. Doing so means if you have a loss to only (e.g.) Contents and Income you only pay the 5% of the value of those two items. “Coverage unit” can be further itemized, such as if you have large amounts of categorized “Outdoor Property” or “Property of Others”.

Note this ultimately requires identifying the underlying value of these “coverage units”. This is done either via reference to the policy declaration or, more typically, to the Schedule of Value (“SOV”) on file with the carrier. Be aware what this means: the itemization on your SOV is ultimately what determines your deductible. In other scenarios, this might be a non-issue, but here, lumping values into a single entry or evenly allocating a sum total across locations could obligate you to a much larger deductible than imagined.

Percent deductibles vary not only in the dollar amounts they represent but also in how they are triggered. Because of this they demand scrutiny as well as a good scrubbing of your SOV. Pay close attention to the values on which the percentage is based, and aim to secure one that applies “per coverage unit”. Also make sure your SOV is itemized correctly as, after all that, we don’t want to be left holding the bag because a spreadsheet had 25 lines instead of 26.

CrowdStrike: What We Can Learn

To recap:
1: Delta Airlines uses CrowdStrike’s “Falcon Sensor” for antivirus.

2: 07/19/2024 an update to the Falcon Sensor bricks Delta’s systems, grounding 6,000+ flights and (supposedly) costing $500M.

3: Delta publicly and privately tells CrowdStrike they’re going to pay.

4: CrowdStrike responds to Delta stating they they have a different opinion.

Firstly, if you consume any media about this event, let it be this video: https://www.youtube.com/watch?v=wAzEJxOo1ts&t=619s.

This is created by David Plummer, an old school Windows developer who runs a YT channel (and who has a book!). He does a wonderful job of making tech topics consumable and has tons of wonderful anecdotes. Just a great channel all around. Regardless, watch the video and I guarantee you’ll know more about this than you did 15 minutes ago.

With the facts as established as they’re gonna be, let’s dissect that letter.

Dear David:
I am writing on behalf of my client CrowdStrike, Inc. in response to your letter dated July 29, 2024, in which Delta Air Lines, Inc. raises issues and threatens CrowdStrike with legal claims related to the July 19, 2024 content configuration update impacting the Falcon sensor and the Windows Operating System (the “Channel File 291 incident”).

Can we appreciate how much this letter sounds like the dozens and dozens (and dozens) of letters insurance and risk professionals receive? I guess this just goes to show that the only thing that changes about claims is the dollar figure….

CrowdStrike reiterates its apology to Delta, its employees, and its customers, and is empathetic to the circumstances they faced. However, CrowdStrike is highly disappointed by Delta’s suggestion that CrowdStrike acted inappropriately and strongly rejects any allegation that it was grossly negligent or committed willful misconduct with respect to the Channel File 291 incident. Your suggestion that CrowdStrike failed to do testing and validation is contradicted by the very information on which you rely from CrowdStrike’s Preliminary Post Incident Review.1

Eagle-eyed readers will notice a specific word here: GROSS negligence. And this is why contracts are so important, because by invoking GROSS negligence Delta is attempting to do a couple things.

First, to allow for punitive or exemplary damages which are typically only allowed in cases of “gross” negligence. “But punitive damages aren’t insurable,” an astute insurance person might respond. Yet this isn’t entirely accurate. While many policies do exclude this, some don’t, and whether they even can be insured are subject to individual jurisdictional rules. In fact, most (US) localities actually do allow insuring punitive damages, though with very specific qualifying criteria (usually “vicarious only”). So if you’re an insurance professional, strive for solutions that follow (e.g., covers such “where insurable by law”).

The second reason Delta is alleging gross negligence is because there is certainly a liability cap in their contract. Such caps can be bypassed (either via contract language or by course of law) if the offending party is “grossly” negligent or engages in “willful” misconduct. You hire a vendor and they trip and start a fire, their liability to you is capped. You hire a vendor and they’re an arsonist who intentionally starts a fire, their liability to you is uncapped.

As a risk professional, these liability limitations are some of the most critical yet rubber-stamped parts of contracts. I can’t tell you the number of times I’ve seen a business accept boilerplate language that limits liability to, for example, “the cost of the contract” (i.e., what you’re paying the vendor). I’ve even seen such in architectural/engineering contracts! That’d be like limiting the liability for my auto mechanic to the cost of my brake job – a lot more damage than the few hundred bucks the work cost can result if those brakes don’t work.

Delta’s public threat of litigation distracts from this work and has contributed to a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage. Should Delta pursue this path, Delta will have to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions—swiftly, transparently, and constructively—while Delta did not.

While this is speculation, note the verbiage of “CrowdStrike [is not responsible for] Delta’s IT decisions and response to the outage.“. It does not say CrowdStrike wasn’t responsible for the outage, or that CrowdStrike didn’t error, or that they didn’t specifically circumvent system security when rolling out updates. This is clever wording, from a clever attorney, who knew this letter was going public.

Among other things, Delta will need to explain:
● That any liability by CrowdStrike is contractually capped at an amount in the single-digit millions.

Womp womp.

Items for Legal Preservation:
1. Delta’s response to the Channel File 291 incident.
2. Delta’s emergency backup, disaster recovery, and IT business continuity plans, and any related testing of those plans.
3. All assessments of Delta’s IT infrastructure, including any gaps and remediation recommendations, for the last five years, including in the wake of the Channel File 291 incident.
4. All decisions to upgrade or not upgrade Delta’s IT infrastructure in the last five years.
5. All scripts and software that Delta has deployed before and after the Channel File 291 incident to address possible Windows group policy corruption issues across the IT estate.
6. All system event logs for the weeks preceding and succeeding the Channel File 291 incident.
7. All encryption-level software that Delta deployed on all its IT infrastructure and the management of this software.
8. All technology and operating systems that Delta utilizes to assign workflow, routes, crews, flight schedules, etc. and any information, documents, or analysis on how that technology interacts with any software that Delta employs on its IT infrastructure.
9. Any data loss following the Channel File 291 incident related to Delta’s workflow routes, crew and flight schedules, and all communications with crew members following the Channel File 291 incident.
10. Delta’s response and recovery to any previous IT outages in the past five years.

Not earth shattering, but I cite the above just to show how problematic legal discovery can be. Can you imagine, as a business owner, coming in and needing to essentially produce a report regarding how you responded to every IT outage over the past 5 years? Now imagine you have services all over the world and 100,000 employees. You may be completely within “the right” of whatever legal dispute you’re having but it’s going to cost you a million bucks just to comply with discovery.

Now certainly some of the above is likely to get reduced in scope for being onerous, but the point is that the majority of expenses and effort happen well before trial, and this is just a “throwaway” letter!

Delta has a big enough checkbook to figure this out, but what about a $100M company? A $10M company? A $1M company? Something like this would ruin them. Hope they know a good insurance person.

What Enron Can Teach Us About D&O Coverage

The Enron saga is, itself, utterly fascinating. If you haven’t had the chance there are several good documentaries about it, one being “Enron: The Smartest Men in the Room”. Unfortunately I don’t believe it’s available on Netflix anymore, but alternate streaming services still have it (here’s an Amazon link). I’m sure there’s more in-depth and technical sources out there but as a relatively “soft” documentary it’s a great film with which to wind down a day. FindLaw.com also has an interesting set of articles if you’re looking for more to peruse.

While perhaps not the most interesting of all the specific topics dealing with Enron, there are some curious lessons in the way insurance played out – especially D&O. If you’re just looking for the take-home point it’s this: even if a defendant pleads guilty that is not considered a “final adjudication” of guilt (I know!), at least in the Enron case. This was surprising to me, as Enron’s D&O insurers I suppose, whom I understand had a total of about $350M in limits put up. Here is an expert explaining the circumstance from an IRMI Whitepaper (I have since lost the link but I *believe* the below is verbatim):

Former Enron CFO Andrew Fastow pleaded guilty in criminal proceedings associated with Enron’s bankruptcy. Yet since the Enron D&O policy forms were written on a “final adjudication” basis, the insurer was obligated to continue defending Mr. Fastow against civil lawsuits because his conduct still had not been subject to “final adjudication.” Although Mr. Fastow had already pleaded guilty to criminal charges, he had not yet been sentenced and until that time could still change his plea. But by continuing to defend Mr. Fastow, other far less culpable directors and officers—including retired directors—had their remaining policy limits depleted. 

My notes say the IRMI article called the “Final Adjudication” language a “minefield”, but I wouldn’t go that far (seriously IRMI?).  However, it is one of the most preferential provisions an insured can secure in a D&O policy – and be careful out there because while it is becoming *more* common it should certainly not be considered the default. While such language may provide for sub-optimal circumstances – such as a “guilty” director getting defense coverage they “shouldn’t” have – the benefit of preserving coverage for alleged fraudulent acts, which are ultimately baseless, far outweighs such consequences. 

But there’s a second consideration to all of this as well.  What if instead of “guilty”, Andrew Fastow had pleaded no contest?  Is a plea of nolo contendere a “Final Adjudication”?  The short answer is… “No!”  But do bear in mind that jurisdictions vary. This “Policyholder Advisor Alert” from the law firm Anderson Kill (NY) does a great job of explaining how the variations on the “Final Adjudication” clause in policy can play out, both theoretically and practically:

The most advantageous conduct exclusions are triggered only by a final and non-appealable adjudication against the policyholder. Conversely, insurance companies may interpret references to “determinations in fact,” “adverse admissions,” or other potentially non-final determinations as giving them license to adopt an earlier trigger. Triggers like “written admission by the Insured” or “plea of nolo contendere or no contest regarding such conduct” make it more likely that the insurance company will apply the exclusion. An insurance company might attempt to latch onto a statement by the policyholder’s representative at deposition or a preliminary finding of fact by the court. Even an exclusion that lacks only the “non-appealable” component could be fodder for an insurance company to argue against coverage, even if an incorrect result is overturned on appeal.

 

Final, non-appealable adjudication language ensures the policyholder gets its full “day” in court and pushes the coverage decision further into the future, increasing the likelihood of a settlement that avoids the conduct exclusion altogether.

You will note that they specifically mention some provisions which state “an admission by the insured” or similar – this is because carriers are inserting these into “Final Adjudication” clauses with regularity, though not always. Again, it’s important to know how your particular provisions work.

Another topic to discuss, which the above Anderson Kill article touches on, is severability. This is the portion of your policy, usually hidden in the “warranty” and “state conditions” and similar pages that people tend not to read. In short, severability determines whether one insured’s actions impute/affect another insured’s coverage. For example if one director is found guilty of fraud what happens to the coverage for the other directors? What happens to the coverage for the corporation? What happens if the CEO knowingly falsified and signed the coverage application – will that exclude coverage for other individuals?

This, again, is something that is going to be unique to each carrier. However, I am happy to say that many offer decently advantageous “severability” clauses either in their base form or via endorsement. When you’re looking at these you want to pay attention to two key areas:

1. What happens if one director is found guilty – is coverage preserved for “innocent” insureds?

In this case I would say most policies I’ve personally dealt with do preserve coverage. Smaller D&O policies or “add-on” D&O coverage may not be as generous but my experience shows this isn’t a contentious ask.

2. What happens if the application is falsified?

This scenario is typically more complex as, while many carriers will provide details in this situation, they vary widely in to whom the falsification is “imputed”. The more generous provisions will state something along the lines of “if an application is falsified by [C-Level Executives/Directors] it’s imputed to the corporation but not to other directors and officers”. In such a situation, a CEO falsifying an application would remove coverage for the corporate entity, but not for other executives. This is also why D&O carriers often insist that applications be signed by particular individuals.

D&O policies are some of the most complex beasts out there, and such complexity isn’t often known until the crisis arrives. So if you have the time, I highly suggest you look at not only Enron data (I picked that simply because of its fame and the info is plentiful), but anything else you can get your hands on. These types of policies, being “relatively” new to the scene and non-standard are also going to be highly sensitive to jurisdictional changes (jurisdiction itself being a concern when you have a policy for a national or international client!).