Chapter 24 Exercises

Work these with the chapter's habits of mind: the exposure here is intangible — judgment, conduct, code — so for every risk ask what does this insured actually do, what is the worst harm a single error could cause, and who would sue over it? And for every claims-made placement ask which device closes the gap — the retro date, or the tail? Items marked with a dagger () have worked solutions in Appendix: Answers to Selected Exercises; the rest are for discussion or self-test. Section references like (§24.4) point you back to the relevant part of the chapter.

A. Recall and definitions

  1. Define errors & omissions (E&O) in one sentence, and explain why it insures a standard of care rather than a guarantee of a result. (§24.1)
  2. Name and describe the three "sides" of a directors & officers (D&O) policy. Which side carries no retention, and why? (§24.2)
  3. Define employment practices liability (EPL). Who is the plaintiff, and how does the exposure differ from workers' compensation? (§24.3)
  4. A cyber liability policy splits into first-party and third-party coverages. List two coverages on each side and say, in a phrase, what each pays for. (§24.4)
  5. Define the tail / extended reporting period (ERP). State precisely what it extends and what it does not cover. (§24.6)
  6. What is a retroactive date, and what is prior-acts coverage? Why does preserving the retro date matter when an insured switches carriers? (§24.6)
  7. Why are E&O, D&O, EPL, and cyber almost always written on a claims-made rather than an occurrence trigger? Tie your answer to the gap between the act and the claim. (§24.6)

B. Professional liability (E&O)

  1. Distinguish traditional professional liability from miscellaneous professional liability (misc E&O). Give one example of an insured in each category and say why the standard of care is clearer in one than the other. (§24.1)
  2. Two marketing agencies have identical \$5M revenue. Agency A designs logos and brochures. Agency B manages clients' multimillion-dollar ad budgets and ad targeting. Explain why these are very different E&O risks at the same revenue, and what document you would read to see the difference. (§24.1)
  3. An E&O policy has a defense-inclusive (eroding) limit. Explain why this is a harsh feature on a professional line, and what you would tell an insured to check about their limit. (§24.1)
  4. Why do most E&O policies exclude the return of fees and intentional acts? What is the principle behind each exclusion? (§24.1)

C. Directors & officers (D&O)

  1. Explain why a company preparing for an IPO faces one of the highest-risk D&O events there is. What changes about its exposure the moment it sells stock to the public? (§24.2)
  2. Contrast public-company and private-company D&O by their dominant claim types. Why is private-company D&O so often packaged with EPL and fiduciary liability? (§24.2)
  3. The chapter calls D&O loss "correlated, not independent." Describe a single macro event that would generate D&O claims across many of your insureds at once, and explain how that changes how you manage aggregate. (§24.2, Underwriting Trap)
  4. A startup founder asks why the company needs D&O when it already carries tech E&O for its product. Write two or three sentences explaining the different exposure each covers. (§24.1, §24.2)

D. Employment practices liability (EPL)

  1. Two retailers each post \$40M in revenue. Retailer X has 80 employees and very low turnover; Retailer Y has 400 seasonal employees and high churn. Which has the larger EPL exposure, and why is revenue the wrong exposure base for this line? (§24.3)
  2. List four elements of "the machinery of employment" you would want to see in an EPL submission, and for each, say how it lowers loss. (§24.3, At the Desk)
  3. Why does EPL claim frequency tend to spike after a recession? Name the specific kinds of claims a wave of layoffs generates. (§24.3)
  4. Explain why EPL is acutely sensitive to jurisdiction. What would make the identical termination far more expensive in one state than another? (§24.3)

E. Cyber: coverage, growth, and controls

  1. Harbor Steel is a 180-person metal fabricator with little sensitive customer data. Explain why it still has a real cyber exposure, and name the single first-party coverage that drives the loss for a manufacturer like it. (§24.4, The Underwriting File)
  2. The chapter says cyber violates all three words in "independent, similar, stable" risks. Take each word in turn and explain how cyber breaks it, and why this makes cyber both a catastrophe peril and a non- stationary one. (§24.4)
  3. (Find the red flag.) A cyber application states: "Yes, we use multi-factor authentication." A follow-up call reveals MFA is enabled on the company VPN but not on email and not on administrator accounts, and that nightly backups exist but have never been test-restored. Identify the two red flags, explain why each matters to a ransomware loss, and state what you would require before binding. (§24.5)
  4. Explain, from the ransomware economy's point of view, why tested offline or immutable backups are the control that turns a company-ending event into a bad week — and why attackers now hunt for the backups first. (§24.5)
  5. Why are outside-in security ratings a useful triage and verification tool but a poor basis for the final accept/decline/price decision? Connect your answer to the idea that the adversary "adapts to the model." (§24.4, Model vs. Judgment)

F. Claims-made mechanics

  1. An established engineering firm has been with Carrier A on claims-made, full prior acts, for eight years. You are quoting them from Carrier B. (a) What must you do with Carrier B's retro date, and why? (b) Separately, if the firm were closing rather than switching, what would they need instead, and why would a cheap new policy be the wrong answer? (§24.6)
  2. (Find the red flag.) A broker moves a law firm to a new carrier and the new policy's declarations show a retroactive date equal to the new policy's inception. The firm has been in practice for fifteen years. What has gone wrong, who is now exposed, and whose E&O claim has the broker just created? (§24.6)
  3. Why do many states regulate claims-made policies specifically — mandatory ERP offers, plain-language disclosure of the trigger and retro date? What consumer harm are these rules designed to prevent? (§24.6, Compliance Corner)

G. Underwrite / price / decide

  1. (Underwrite this submission.) A 40-person IT managed-services provider applies for tech E&O and cyber. They configure and monitor the backup systems that several hospitals rely on. Their application shows MFA everywhere, monitored EDR, and tested backups, but their contracts contain no limitation-of- liability clauses and they have one prior claim (a client's data loss they restored at their own cost). State your read of the risk, the single largest exposure, two things you would require or want, and your accept/decline/modify lean with reasoning. (§24.1, §24.5, Ch. 13)
  2. (Price this risk — qualitative.) You are asked to size a cyber limit for two insureds: (a) Harbor Steel (180-person fabricator, modest data, real BI exposure) and (b) Tindall Stores (regional retailer, large payment-card data trove, prior breach). Without inventing precise dollar figures, explain how the exposure profile of each should drive a different limit, a different coverage emphasis (first- vs. third- party), and a different set of binding conditions. (§24.4, §24.5, The Underwriting File)
  3. (Find the red flag.) A cyber renewal submission for a company that suffered ransomware last year states only: "Incident resolved. No further issues." Nothing about remediation. List the specific questions you would ask before you would consider renewing, and explain why the fact of the prior breach is not, by itself, the underwriting concern. (§24.5, Underwriting Trap)

H. Memos, ethics, and the File

  1. (Write the memo.) Draft a short coverage-recommendation note (5–8 sentences) to the Harbor Steel broker explaining why you recommend a modest, controls-conditioned cyber add-on and no E&O, written so a non-specialist owner understands the reasoning. (The Underwriting File; §24.1, §24.4)
  2. (Ethics dilemma.) A long-standing, well-liked commercial client of yours — a 120-person services firm — has applied for cyber with no MFA on email and no tested backups, but with a hard contractual deadline to show proof of coverage to their customer by Friday. The broker presses you to bind now and let them "fix the controls later." What are the competing pressures, what is the disciplined answer, and how do you structure a response that protects both the pool and the relationship? (§24.5, Ch. 13)
  3. (Ethics / fairness.) An outside-in security rating downgrades an insured because of a vulnerability the company has, on review, already patched — the scan is stale. The model "says decline." Explain why overriding the model here is not just permitted but required, what you must document, and how this connects to the book's theme that the underwriter, not the algorithm, decides. (§24.4, Model vs. Judgment; Ch. 7)
  4. (The Underwriting File — extension.) Suppose Harbor Steel announces it will expand into design-build — offering structural engineering and design services to customers, not just fabricating to others' drawings. Explain how this single business change opens a professional-liability (E&O) exposure that did not exist before, what new questions you would ask, and how the coverage picture for the account would change. (§24.1, The Underwriting File)
  5. (The Underwriting File — extension; Tindall Stores.) You are handed Tindall Stores' cyber submission a year after its ransomware breach. Outline the remediation evidence you would demand to decide whether the company is now a better risk than a never-breached peer or a worse one — and explain, using adverse selection from Chapter 1, why the prior breach alone tells you almost nothing. (§24.5, The Underwriting File; Ch. 1)