Chapter 24 — Further Reading

Sources are grouped by the book's three citation tiers: Tier 1 (verified, canonical), Tier 2 (attributed but with specifics that shift over time and should be checked against current data), and Tier 3 (the chapter's own constructed teaching material). Nothing here invents a statistic; where the cyber and D&O markets are described, the patterns are well documented even though precise figures move year to year.

Tier 1 — Verified, canonical

  • The Institutes (American Institute for CPCU), commercial and management-liability curricula — the professional body's treatment of professional liability, D&O, EPL, and cyber, and of the occurrence-vs- claims-made trigger; the working vocabulary this chapter uses.
  • ISO / Verisk standard forms and the management-liability and cyber form landscape — the bureau forms and endorsements that define professional, management, and cyber coverage in the U.S. market; the reference point for how the coverages are actually worded.
  • U.S. federal and state employment law as the backdrop to EPL — Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act (ADA), the Age Discrimination in Employment Act (ADEA), and the patchwork of state and local employment statutes that create the EPL exposure. (These are the real laws; the EPL policy responds to claims arising under them.)
  • U.S. securities laws underlying D&O — the Securities Act of 1933 and the Securities Exchange Act of 1934, the statutory basis for the securities class actions that drive public-company D&O loss.
  • The public record of the 2020–2021 ransomware surge and cyber-market hardening — government advisories (e.g., CISA and the FBI on ransomware), regulatory and industry commentary, and reputable journalism documenting the shift from data-breach to ransomware loss and the resulting underwriting tightening. Use for the pattern; verify any specific figure against current sources.

Tier 2 — Attributed, specifics to verify

  • Cyber-market rate and loss-trend reporting (broker market reports, rating agencies, NAIC cyber data calls) — the broad arc (soft pre-2020 → sharp hardening 2020–2021 → moderation as controls improved) is well attested; specific rate-change percentages, loss ratios, and capacity figures change continuously and must be pulled from current sources, not quoted from memory.
  • Securities class-action filing trends (academic and litigation-monitor studies) — the recurring pattern that hot IPOs followed by stock drops draw securities suits is robust; annual filing counts and settlement amounts vary by year and source.
  • Industry guidance on cyber security controls for insurability (MFA, EDR, tested backups, the ransomware supplemental application) — the controls checklist in §24.5 reflects a real and widely-adopted underwriting consensus; the exact list and thresholds differ by carrier and evolve with the threat.
  • Management-liability practice literature (D&O three-part structure, Side-A excess, IPO D&O) — standard in the practitioner and brokerage literature; the structural concepts are stable, particular market terms are not.

Tier 3 — Illustrative / constructed (this book's own material)

  • The Harbor Steel & Fabrication file — the cyber-add-on recommendation and the E&O-not-indicated analysis in this chapter's Underwriting File; a constructed teaching account.
  • Tindall Stores — the post-breach regional-retailer cyber submission introduced here and carried into Chapters 31 and 32; constructed.
  • The "Northbeam Health" IPO D&O composite (Case Study 2) — a labeled composite built from the real, recurring securities-suit pattern; the company, names, and all figures are constructed.
  • The controls checklist, the claims-made timeline, and the three-sides diagram — illustrative renderings chosen to make the mechanics legible, not drawn from any single carrier's form.

If you read only one thing: read your own broker's or carrier's current cyber ransomware supplemental application end to end. It is the most honest, up-to-date statement of what the market believes actually reduces cyber loss — every question on it is a control someone learned to ask the expensive way during the 2020–2021 reckoning, and reading it teaches the §24.5 controls discipline faster than any textbook.