The opening line of William Shakespeare’s Richard III is an oft-quoted line—often used to express sadness. You know, how you feel when another agency agreement comes across your desk. I know that agency agreements are no one’s favorite thing. You would much rather spend your time finding new clients and providing services to current ones than reading an agency agreement.
However, often your ability to do the former can be impacted by the amount of time you spend paying attention to the latter. Luckily, PIA Northeast members have an entire legal department at their disposal that will review agency agreements for them and highlight problem areas. In anticipation of the flood of contracts PIA is sure to receive following this article, I thought I would highlight some contractual provisions for which you should be on the lookout. Some are common and some are just emerging, but all could impact your agency.
I have written about cybersecurity before in PIA Magazine, but the presence of cyber security clauses in agency agreements has only increased since that time. While cyber security clauses vary, generally they fall into one of three categories:
- I’m just here so I won’t get fined;
- My legal team told me we need this clause; or
- I wear a belt and suspenders.
I’m just here so I won’t get fined. In this category, you will find basic language regarding your cyber security responsibilities. It will read something to the effect of:
You are responsible for the protection of any nonpublic information [which may or may not be defined in the agreement] in your possession and for following all applicable laws and regulations regarding cyber security protection.
Usually, these types of provisions are no more than one or two sentences and do not get into specific measures you might be required to adopt, nor do they reference any specific law or regulation.
My legal team told me we need this clause. This category goes a step further than the previous one. Typically, these clauses are a paragraph or two and will reference law or regulation (most commonly New York state’s cyber security regulation, 23 NYCRR 500). In addition, they will require the producer to develop some sort of cyber security program, and to maintain and update said program by using industry-related guidelines and recommendations. Usually, these types of clauses will not get into too many—or any—details about what cyber security protections your agency needs to adopt. They also may require the agency to share what protections it has in place with the carrier.
I wear a belt and suspenders. This category is the toughest. Usually, it runs a few pages (thus the one you are most likely to skip entirely) and goes into depth as to what your agency must do to comply with the requirements of the agreement. Federal and state law/regulation will be referenced. The clause usually will require more from the agency than is required by law. For example, it is common for multifactor authentication and encryption to be required in these clauses. However, neither of those protections are required of agencies that qualify for the limited exemption under 23 NYCRR 500, or those who must follow the cyber security laws of either Connecticut or New Hampshire—the other two states in our area that have adopted insurance-specific cyber security laws. Finally, not only is your agency required to tell the carrier what protections it has in place, but the carrier often is granted the ability to come into your agency and audit your system and make recommendations for improvement. Basically, it takes what you are required to do by the law and turns it up to 11.
Why should you care about any of these? First, because you should take cybersecurity seriously. If you are licensed in any of the three states I mentioned previously, you are legally required to make sure your agency protects client nonpublic information. Second, all these clauses—no matter how detailed—are there for the same reason. They give the carrier grounds to come after your agency for breach of contract if you suffer a cyber security attack and the carrier sustains some sort of damage due to it. Depending on the carrier you are working with you could push back on certain onerous requirements and tone down some of the language, particularly if the carrier’s cyber security clause falls into the last category. However, even if you cannot change the terms of the agreement, the knowledge of its existence is half the battle.
A new clause that I have seen recently has to do with record retention. Done yawning? Great. These clauses say something to the effect that your agency is required to keep original applications on file for at least X number of years. In addition, it states that if your agency were to fail to have a signed application on file, the agency would be responsible for any damage and/or liability that the carrier may incur by virtue of the lack of a signed application.
There are a couple of issues with this type of clause. First, the time in which you must keep records almost always exceeds what the majority of states and all the states in the PIA Northeast footprint requires. Second, it puts liability on your agency that might not otherwise exist. Remember that carriers must follow record retention laws as well, so why should your agency be penalized for failing to follow a contractual clause based on a legal requirement that the carrier is under. Third, the carrier can terminate the agreement due to breach of this clause. This is insult to injury. Not only are you on the hook for damages, but you lose a market for your clients as well.
This is a classic. Indemnification/hold harmless clauses appear in almost every agency agreement. In an indemnification clause, one party gives another party security for reimbursement for situations in which an anticipated loss may fall upon that party. A hold harmless clause is a contractual agreement in which one party agrees to accept the liability in certain situations, releasing the other party of responsibility for liability, such as damages sustained, arising from those situations. In agency agreements, the clauses come into play when a claim is brought against the agency resulting from circumstances for which the carrier is liable legally.
The most common problem with these clauses is not that they are in the contract. In fact, when I don’t see one, I usually suggest that the agency consider adding one before signing the agreement. No, the most common problem is that these clauses often only run one-way. Often the agency must agree to indemnify the carrier for any action by the agency that brings liability to the carrier, but there is no similar agreement to indemnify the agency for actions by the carrier. These clauses always should be mutual. In no circumstances should your agency have to be liable for damages because of actions of the carrier.
The commission clause may be the second most important clause in the agency agreement. Unfortunately, there are too often major issues with the commission clause in agency agreements. A common commission clause states the agency will be paid commission in accordance with the commission schedules and rules as established by the carrier and in effect on the effective date of a commission transaction. This is problematic for several reasons. First, it allows the carrier to change your commission at any time without any notice. Second, it puts your agency in a situation in which you might not actually know the commission you are going to be paid until after the policy is bound. Neither is great for your agency. PIA suggests that commission levels be stated expressly in the contract (or addendum included with the contract), and that the carrier only be permitted to change commission levels when advance notice, usually 90 days, is given.
Back to Shakespeare
You might have noticed the ellipses at the end of the quote in the headline. That, of course, indicates there is more to the story. The quote as it appears in Richard III is “Now is the winter of our discontent, made glorious summer by this sun of York.” So, the true meaning of the quote is not one of sadness, but one of celebration. The sun is out and the time for unhappiness is in the past. This sentiment can be applied to agency agreements just as it was applied in the play to the reign of Edward IV.
Spending just a few minutes reviewing your agency agreement—or sending it to PIA, so we can review it for association members—can save your agency from enduring a winter of discontent and instead allow you to bask in the sun.
This article originally appeared in the January 2020 issue of PIA Magazine.
 Named after former-NFL Running Back Marshawn Lynch, who famously hated talking to reporters. However, NFL rules require players be available to the press, so when Lynch refused to do so he would get fined. This led to a legendary press conference at which Lynch showed up, but he answered every question with: “I’m just here so I won’t get fined.” In other words, this category is for those who do the bare minimum because it is required of them.
 Go Joe!
 The first is the ownership of expiration clause.
Bradford J. Lachut, Esq.
Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.