Why Now is the Right Time to Customize Cyber and E&O Contracts

Why Now is the Right Time to Customize Cyber and E&O Contracts
Cyber Resilience

01 of 07

This insight is part 01 of 07 in this Collection.

December 7, 2023 17 mins

Why Now is the Right Time to Customize Cyber and E&O Contracts


The non-standardized nature of cyber and E&O policy wording creates the opportunity to mold an individually tailored and responsive risk transfer tool.

Key Takeaways
  1. Cyber and E&O forms present an opportunity for policy wording variance, unlike other policies with standardized wording.
  2. With favorable market conditions when compared to recent years, now is the right time for policyholders — with the aid of their counsel — to customize their cyber and E&O coverages to suit their organization’s risk needs.
  3. Start early, form the right organizational team and include the right broker to get the process of negotiating policy wording started.

Better Informed

One of the nuances of the cyber and errors and omissions insurance market is the lack of standardized policy forms. With the lack of a standard definition, the opportunity exists for policyholders to mold cover that is tailored to their business’s exposures. This landscape empowers risk buyers to negotiate a precise and clearly worded cyber and errors & omissions (E&O) policy. Current supply and market conditions are combining to make it an ideal time for customization in the cyber and E&O market. Here’s why:

  • According to Aon’s 2023 Global Risk Management Survey, cyber attacks and data breaches continue to be the number one risk facing organizations globally. Even further, they are predicted to stay on top for the next three years, as costs of single data breaches reach all-time highs and ransomware attacks return with a vengeance.
  • According to Aon data, ransomware attacks rose 203 percent and cyber premium rates declined by 17 percent in Q3 2023, extending trends in each for a third consecutive quarter.
  • Overall buyer-friendly cyber market conditions have continued through Q3 2023, with greater competition and more capacity available.

The cyber and E&O market is favorable to buyers now but may become volatile over the next three to five years should loss frequency and severity continue to develop unfavorably in 2024. It is therefore especially important that buyers identify the right long-term insurer that understands their business risks and is willing to customize policy wording to address exposures and incident response strategies.

  • Systemic risk remains a top concern for insurers. Carriers continue to evaluate, scrutinize and, in some instances, restrict coverage offered for critical infrastructure, systemic or correlated events, supply chain and other critical third-party dependencies, and war.
  • Privacy-related losses are mounting and becoming more severe as well. Underwriting scrutiny related to privacy exposures and data collection, including biometric information, pixel tracking, and new privacy and consumer protection regulations is increasing.

Better Decisions

Six Steps Toward Creating a Customized Cyber and E&O Policy

Complexity in the cyber and E&O market is only furthered by the dynamic appetites of cyber insurers and the constant evolution of technology risks. This results in regular changes to insuring agreements and exclusions. The market can often be a moving target. Yet, as daunting as it may seem, the prospects of negotiating a cyber or E&O policy that’s specifically geared to a business’s exposures are good. Buyers can enhance their chances for positive negotiations by following this advice:

  • 1. Start early.

    Shaping cyber policy wording requires a collaborative discussion among key stakeholders as early as six months prior to renewal. This is critical because the team involved in evaluating exposures and loss scenarios will be large and varied.

  • 2. Form the right team.

    The far-reaching consequences and intricacies surrounding technology risk require a team of colleagues that goes beyond risk management professionals. The team should include members of the cyber security and data privacy team, legal teams responsible for managing contracting, claims management and colleagues experienced with delivering business continuity plans.

  • 3. Include experienced external partners.

    Having the right insurance professionals to assist in crafting appropriate policy language and negotiating with the insurer is important. Outside counsel may also be brought in to focus on policy drafting and interpretation.

  • 4. Measure against business and industry cyber exposures.

    Policy language should be measured against the business and industry-specific exposures and loss or claim scenarios that are most concerning to the business. Identification of these scenarios, against which the policy wording will be tested, requires consideration of both frequency and severity of potential losses. This ensures that customization of the policy aligns with the organization’s risk appetite and risk management philosophy.

  • 5. Analyze policy exclusions.

    Similarly, policy exclusions must be critically analyzed to determine whether losses and desired covered claims could be excluded. With the breadth of coverage available under cyber and E&O policies, claims and losses are typically multifaceted with both first- and third-party components.

  • 6. Manage other policy terms, including business interruption.

    Other policy terms can be concerning to a business, including how business interruption losses will be calculated and presented. The base policy form often requires losses to be proven using a methodology that could be illogical or impossible for some organizations to navigate.


Decline in cyber premium rates in Q3 2023

Source: Aon data

Consider These E&O Coverage Points

In addition to the risk transfer value of the policy, E&O cover is often key to business facilitation for professional service companies. Customer contracts regularly are revised to include E&O insurance requirements that go beyond minimum required limits and include specific policy language requirements.

Three common examples include: an additional insured status for the customer, a waiver of the insurer’s rights of subrogation, and the service provider’s insurance being primary/non-contributory to any other insurance, including the customer’s. While E&O insurance policies can accommodate these requests, the policy language should remain aligned with the organization’s risk management philosophy and balance protecting the organization against facilitating business needs. Further:

  • Ensure E&O due diligence. E&O policies require a similar level of due diligence to ensure they address the risk transfer and business goals of the organization. The definition of professional services, which serves as the gatekeeper for all E&O policy coverage, is particularly important. Insurers will often push to have this definition be as narrow and specific as possible.
  • Consider an alternative approach to defining policy services. An alternative for defining professional services involves requesting an omnibus definition. It contemplates all services contracted to be provided by the organization or any third party for which the organization is legally liable. While some insurers will be receptive to this definition, they will have heightened underwriting expectations. The policyholder should be intentional with how contractual risk management, business development, and conflict resolution are presented to the insurer. This is critical for securing the insurer’s support.

“The base policy language in many E&O insurance policies may not strike the necessary balance and should be customized appropriately. Since this is different for every organization, it’s an area where collaboration between risk management, legal and business teams, alongside the insurance broker, is critical,” says Christopher Mee, Senior Vice President, E&O/Cyber Product Team, North America.

Cyber and E&O insurance policies provide a broad array of coverage designed to address the myriad losses associated with cyber incidents and professional service risks. These policies are not one-size-fits-all. They require a high degree of customization to ensure clarity and coverage when needed most.

Aon’s Thought Leaders
  • Darin McMullen
    E&O/Cyber Product Leader, Cyber Solutions, North America
  • Christopher Mee
    Senior Vice President, E&O/Cyber Product Team, Cyber Solutions, North America
  • Pablo Constenla
    Head of Cyber Coverage & Claims, Cyber Solutions, EMEA
  • Helen Chapman
    Head of Coverage and Insurable Risk – Specialty Products, Global Broking Center and UK Commercial Risk
  • Dan Screene
    Head of Cyber Coverage, Global Broking Center and UK Commercial Risk


Increase in ransomware attacks in Q3 2023

Source: Aon data

General Disclaimer

The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner