Category: Operations, Misc.

Posts about internal operations and miscellaneous topics.

More on Deductibles and their Wily Ways

The humble deductible: broadly understood and often ignored. But there’s actually a a surprising number of levers one can pull to customize them. Whether you’re looking to reduce cost by taking on more risk, or looking for certainty in your budget outlays, there may be opportunity in reviewing your deductible structure. Below are just a few examples.

  1. Deductibles and Retentions are Different but Cannot be Assumed

Point zero here is to acknowledge a technical difference between a “Deductible” and “Self-Insured Retention” (SIR). However, the industry is inconsistent in applying this terminology so you should NEVER assume your obligations based solely on the label. For simplicity, the term “Deductible” is used here in a general manner.

  1. “Loss Only” Deductibles (aka First Dollar Defense)

A traditional deductible applies any time a claim is made. However, for liability policies, we can have a “Loss Only” deductible. This exempts defense costs from the deductible and applies it only when an award or similar payment is made; this is often known as “First Dollar Defense”. Since defense costs can comprise the entirety of a claim, this type of deductible can be hugely beneficial.

Though rare, this is something worth exploring on any professional liability policy, especially one that assesses separate deductibles for individual claimants. However, you can still find these with some regularity in places such as D&O and Cyber policies.

Alternately, removing this type of deductible could be a way to save premium dollars – if your policy already considers as “Loss Only” deductible, there’s potential to lower policy cost by moving to the traditional structure.

  1. Aggregate Deductibles

Aggregate deductibles are exactly what they sound like – a cap on the amount of deductible dollars over the course of the policy period. These are common in property policies, especially those with a geographic concentration of CAT exposed properties which could all theoretically be damaged by the same event. Aggregate deductibles are seen in liability policies as well, usually as part of a quasi-self-insurance large deductible program. Aggregate deductibles are negotiable, but often start at 3x the underlying (e.g., if you have a $100K deductible expect an aggregate to be no less than $300K aggregate).

These aggregate deductibles can be exceedingly helpful as they can contain an insured’s deductible exposure from essentially infinite (as one can have any number of claims under, say, $500,000) to a specific dollar amount that can then be funded.

Because of this, aggregate deductibles can make moving to a voluntary high deductible program much more palatable and a great “first step” toward self-insurance. A side benefit of this is that having an aggregate (especially one fully funded) is a great way to get finance partners and jurisdictional authorities on board with an otherwise non-compliant high deductible program.

Note that when putting money aside like this for liability cover, one also needs to fund deductible amounts for incidents reported under prior policy periods as typically those are subject to that prior policy”s terms, including any deductibles/aggregates therein.

  1. Deductibles that Reduce Limits

Be very aware that coverage varies on whether payments under the deductible count toward the policy limit. By this I mean a policy that has a $1M limit with a $100K deductible may only obligate the carrier to pay $900K (since the $100K deductible is considered part of the limit).

While all policy forms vary, the “rule of thumb” that for professional liability policies you should assume the deductible is part of the limit, while with General Liability it typically is not (nb: Surplus Lines GL carriers love to sneak this in). For other liability cover, such as D&O and EPLI, it’s a crapshoot.

So consider this when comparing competing options; a quote that’s more competitive may actually be offering a functionally lower limit of coverage. This is especially easy to miss on policies with relatively low deductibles ($50K or under) as the premium impact from such a condition is likely to not be so significant as to make the discrepancy obvious.

    1. Reductions for Mediation, Arbitration, etc.

Unfortunately this particular lever isn’t likely to result in any change to cost, regardless of which way it’s pulled, it’s still worth noting that some carriers will reduce the deductible (usually half) in cases such as when a claim is settled via mediation/arbitration rather than going to court. The obvious goal here is to reduce claim expenses, so consider this a “carrot” to the hammer clause‘s “stick”. Do note these reductions tend to cap out fairly low, commonly at $25,000.

Percent Deductible or a Fraction of Coverage?

The most common case of percent deductibles is in Catastrophe (CAT) property coverage – carriers mandate a deductible be a percentage of insured value (with a minimum) rather than a flat dollar amount. Yet two options that look the same could be anything but.

A primary difference lies in how or to which figure the percentage is applied. If you have a combined 100M in coverage, with 70M of that building and 30M contents, is your (e.g.) 5% deductible applied to 30M or 100M? That’s a question with three and a half million dollars of relevance.

Now imagine that same claim happens on a multi-location policy with a 500M limit – does our deductible then apply to that aggregate value? Yikes.

The preferred method is to apply the deductible to only the specific coverage part(s) triggered by the loss . You’ll often see policies refer to this as a “per coverage unit” deductible; the coverage units typically being Building, Contents, and Business Income/Extra Expense. Doing so means if you have a loss to only (e.g.) Contents and Income you only pay the 5% of the value of those two items. “Coverage unit” can be further itemized, such as if you have large amounts of categorized “Outdoor Property” or “Property of Others”.

Note this ultimately requires identifying the underlying value of these “coverage units”. This is done either via reference to the policy declaration or, more typically, to the Schedule of Value (“SOV”) on file with the carrier. Be aware what this means: the itemization on your SOV is ultimately what determines your deductible. In other scenarios, this might be a non-issue, but here, lumping values into a single entry or evenly allocating a sum total across locations could obligate you to a much larger deductible than imagined.

Percent deductibles vary not only in the dollar amounts they represent but also in how they are triggered. Because of this they demand scrutiny as well as a good scrubbing of your SOV. Pay close attention to the values on which the percentage is based, and aim to secure one that applies “per coverage unit”. Also make sure your SOV is itemized correctly as, after all that, we don’t want to be left holding the bag because a spreadsheet had 25 lines instead of 26.

CrowdStrike: What We Can Learn

To recap:
1: Delta Airlines uses CrowdStrike’s “Falcon Sensor” for antivirus.

2: 07/19/2024 an update to the Falcon Sensor bricks Delta’s systems, grounding 6,000+ flights and (supposedly) costing $500M.

3: Delta publicly and privately tells CrowdStrike they’re going to pay.

4: CrowdStrike responds to Delta stating they they have a different opinion.

Firstly, if you consume any media about this event, let it be this video: https://www.youtube.com/watch?v=wAzEJxOo1ts&t=619s.

This is created by David Plummer, an old school Windows developer who runs a YT channel (and who has a book!). He does a wonderful job of making tech topics consumable and has tons of wonderful anecdotes. Just a great channel all around. Regardless, watch the video and I guarantee you’ll know more about this than you did 15 minutes ago.

With the facts as established as they’re gonna be, let’s dissect that letter.

Dear David:
I am writing on behalf of my client CrowdStrike, Inc. in response to your letter dated July 29, 2024, in which Delta Air Lines, Inc. raises issues and threatens CrowdStrike with legal claims related to the July 19, 2024 content configuration update impacting the Falcon sensor and the Windows Operating System (the “Channel File 291 incident”).

Can we appreciate how much this letter sounds like the dozens and dozens (and dozens) of letters insurance and risk professionals receive? I guess this just goes to show that the only thing that changes about claims is the dollar figure….

CrowdStrike reiterates its apology to Delta, its employees, and its customers, and is empathetic to the circumstances they faced. However, CrowdStrike is highly disappointed by Delta’s suggestion that CrowdStrike acted inappropriately and strongly rejects any allegation that it was grossly negligent or committed willful misconduct with respect to the Channel File 291 incident. Your suggestion that CrowdStrike failed to do testing and validation is contradicted by the very information on which you rely from CrowdStrike’s Preliminary Post Incident Review.1

Eagle-eyed readers will notice a specific word here: GROSS negligence. And this is why contracts are so important, because by invoking GROSS negligence Delta is attempting to do a couple things.

First, to allow for punitive or exemplary damages which are typically only allowed in cases of “gross” negligence. “But punitive damages aren’t insurable,” an astute insurance person might respond. Yet this isn’t entirely accurate. While many policies do exclude this, some don’t, and whether they even can be insured are subject to individual jurisdictional rules. In fact, most (US) localities actually do allow insuring punitive damages, though with very specific qualifying criteria (usually “vicarious only”). So if you’re an insurance professional, strive for solutions that follow (e.g., covers such “where insurable by law”).

The second reason Delta is alleging gross negligence is because there is certainly a liability cap in their contract. Such caps can be bypassed (either via contract language or by course of law) if the offending party is “grossly” negligent or engages in “willful” misconduct. You hire a vendor and they trip and start a fire, their liability to you is capped. You hire a vendor and they’re an arsonist who intentionally starts a fire, their liability to you is uncapped.

As a risk professional, these liability limitations are some of the most critical yet rubber-stamped parts of contracts. I can’t tell you the number of times I’ve seen a business accept boilerplate language that limits liability to, for example, “the cost of the contract” (i.e., what you’re paying the vendor). I’ve even seen such in architectural/engineering contracts! That’d be like limiting the liability for my auto mechanic to the cost of my brake job – a lot more damage than the few hundred bucks the work cost can result if those brakes don’t work.

Delta’s public threat of litigation distracts from this work and has contributed to a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage. Should Delta pursue this path, Delta will have to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions—swiftly, transparently, and constructively—while Delta did not.

While this is speculation, note the verbiage of “CrowdStrike [is not responsible for] Delta’s IT decisions and response to the outage.“. It does not say CrowdStrike wasn’t responsible for the outage, or that CrowdStrike didn’t error, or that they didn’t specifically circumvent system security when rolling out updates. This is clever wording, from a clever attorney, who knew this letter was going public.

Among other things, Delta will need to explain:
● That any liability by CrowdStrike is contractually capped at an amount in the single-digit millions.

Womp womp.

Items for Legal Preservation:
1. Delta’s response to the Channel File 291 incident.
2. Delta’s emergency backup, disaster recovery, and IT business continuity plans, and any related testing of those plans.
3. All assessments of Delta’s IT infrastructure, including any gaps and remediation recommendations, for the last five years, including in the wake of the Channel File 291 incident.
4. All decisions to upgrade or not upgrade Delta’s IT infrastructure in the last five years.
5. All scripts and software that Delta has deployed before and after the Channel File 291 incident to address possible Windows group policy corruption issues across the IT estate.
6. All system event logs for the weeks preceding and succeeding the Channel File 291 incident.
7. All encryption-level software that Delta deployed on all its IT infrastructure and the management of this software.
8. All technology and operating systems that Delta utilizes to assign workflow, routes, crews, flight schedules, etc. and any information, documents, or analysis on how that technology interacts with any software that Delta employs on its IT infrastructure.
9. Any data loss following the Channel File 291 incident related to Delta’s workflow routes, crew and flight schedules, and all communications with crew members following the Channel File 291 incident.
10. Delta’s response and recovery to any previous IT outages in the past five years.

Not earth shattering, but I cite the above just to show how problematic legal discovery can be. Can you imagine, as a business owner, coming in and needing to essentially produce a report regarding how you responded to every IT outage over the past 5 years? Now imagine you have services all over the world and 100,000 employees. You may be completely within “the right” of whatever legal dispute you’re having but it’s going to cost you a million bucks just to comply with discovery.

Now certainly some of the above is likely to get reduced in scope for being onerous, but the point is that the majority of expenses and effort happen well before trial, and this is just a “throwaway” letter!

Delta has a big enough checkbook to figure this out, but what about a $100M company? A $10M company? A $1M company? Something like this would ruin them. Hope they know a good insurance person.

“Expected & Intended Injury” – But Not Damage!

This one comes from personal experience (and you know who you are if you’re reading this!).

General Liability is, obviously, not intended to cover incidents that are intentionally done with knowledge they will cause harm. But there is an exception to this: coverage applies if you knowingly cause injury in effort to otherwise preserve persons or property. Here is the (very brief) exclusion and exception from the 2013 CGL:

a. Expected Or Intended Injury “Bodily injury” or “property damage” expected or intended from the standpoint of the insured. This exclusion does not apply to “bodily injury” resulting from the use of reasonable force to protect persons or property.

The real-world example I was provided for something of this nature is a crane operator who has to drop a load to prevent a catastrophic failure. If they intentionally drop a load, and that injures someone, the CGL will provide coverage if that action was taken to prevent a larger event occurring.

As a side note, there is a bevy of case law regarding this “expected or intended” exclusion and how it applies, whether the language is ambiguous, and whether coverage hinges on the intention of the act or the intention of the damage. It’s definitely worth looking into.

However, for our purposes, we’re focusing on what is not in the exclusion: specifically you will note the exception provides coverage only for “Bodily Injury”. I.e., the unendorsed CGL does not cover expected or intended Property Damage; only Bodily Injury. And even then only via a narrow “reasonable use of force” exception.

In the example of a crane operator dropping a load you can see how this could be incredibly problematic: you are almost assured to cause property damage in such a case. But, going by the strict “4 corners” of the ISO policy, you’re not going to be covered for such event if your intent was to prevent a much large instance of property damage. This is true even if you intended to prevent both BI and PD because recall we are dealing with an exception to an exclusion; meaning we are talking about the type of damage covered, not the trigger itself.

Thankfully, some carriers do offer proprietary wording to add this back, and such is even included on “enhancement” endorsements among even the smaller/mutual carriers of the world. However, even some national carrier brands don’t address this in their policy and, when I brought this to them, they were flummoxed how to respond. My key partners asked for language I could provide them (and this particular one eventually manuscripted!), while others essentially shrugged.

In the end this is an incredibly easy fix for a carrier – it literally takes adding only three words to the exception (“or Property Damage”). The fact that it does need to be manually added can be troublesome – it’s going to need approval. While troublesome, and likely frustrating to carrier personnel, it’s precisely these type of esoteric situations by which brokers live and die. A client can go to nearly any broker/carrier and get an unendorsed ISO policy; if you’re not giving them a reason not to then that’s precisely what’s going to happen.