Chapter 24 — Key Takeaways

A one-page field card for the professional and specialty lines. The exposure here is intangible — judgment, conduct, code — so the data helps least and your judgment matters most.

The core claims

  • The specialty lines have no "thing" to inspect. Property has a building; these lines have a standard of care, a board's decisions, a manager's conduct, a company's data. You underwrite by reading what the insured does and what harm one error transmits downstream — not by walking the premises.
  • E&O insures a standard of care, not a result. Liability attaches only when professional work fell below what a competent peer would have done and caused a quantifiable economic loss. It excludes bodily injury/property damage (that's the CGL) and the return of fees.
  • D&O insures the decisions of leadership across three sides — A (individuals when the company can't indemnify, no retention), B (reimbursing the company's indemnification), C (the entity's own liability, mainly securities for public companies). D&O loss is correlated with the economic cycle, not independent.
  • EPL is the near-universal exposure every employer underestimates. Priced on headcount and turnover, not revenue; driven by HR discipline, documentation, and jurisdiction; frequency spikes after recessions.
  • Cyber is the fastest-growing line — and a catastrophe and non-stationary peril at once. It violates all three of the law of large numbers' requirements (independent, similar, stable), which makes it the hardest line to model and the one most decisively underwritten by controls.
  • When the peril is preventable by controls, you underwrite the controls — and verify them. Treat the application as claims to check, not facts to accept.

The rules of thumb

  • The E&O question: What exactly does this insured do, and what is the worst financial harm a single error could cause their client? Read the service contracts; the exposure is the size of the harm, not the size of the firm.
  • The cyber controls floor (price of admission): MFA on email/remote/privileged accounts (often a hard requirement) → tested offline/immutable backups → EDR/MDR → patching → email security → IR plan. No MFA, no tested backups → decline or refer.
  • The post-breach test: the fact of a prior breach tells you almost nothing; the remediation evidence tells you everything. A hardened survivor can beat a complacent never-victim.
  • Claims-made, two devices, never mix them up: switching carriers → preserve the retro date (prior acts); ending/retiring → buy the tail (ERP). Resetting the retro date to inception = a coverage gap + a broker E&O claim.
  • Emerging risk, three disciplined moves: write it small (sublimit), write it narrow (manuscript a defined peril), or decline and watch. Never write it at scale on a standard form at a standard price.

Key terms

E&O / professional liability · directors & officers (D&O) (Sides A/B/C) · cyber liability (first- party vs. third-party) · employment practices liability (EPL) · tail / extended reporting period (ERP) · retroactive date · prior-acts coverage · claims-made trigger (built in Ch. 21).

What you could defend to your manager

"Harbor Steel doesn't need E&O — a failed bracket is a products/GL claim, not negligent professional advice — but it does have a real cyber exposure: as a manufacturer its dominant loss would be business interruption from ransomware, not a privacy suit. I recommend a modest standalone cyber add-on sized to the contract requirement, emphasizing first-party BI and extortion, conditioned on MFA and tested backups as subjectivities. I priced the controls, not the rear-view mirror — and I'm watching Tindall Stores' post- breach submission for the remediation evidence before I'd touch it."