By Lynda A. Bennett and Eric Jesse
Insurance has a critical role in any tech company, whether it’s a start-up, securing seed money, or pathing toward an IPO or acquisition. Companies should keep in mind that their insurance needs will change and grow throughout that life cycle; therefore, those needs should be evaluated on a regular basis.
The Start-Up Stage. Most start-ups begin with a “business owners policy” (“BOP”), which covers bodily injury, property damage, and certain advertising and personal injuries. If the company has any employees, it must also purchase workers compensation coverage, which is required by law. These policies generally do not entail a significant premium investment and provide “basic needs” coverage.
Seed Stage & Beyond. As a company achieves greater success, hires more employees, and solicits investment, it should consider “directors and officers” (“D&O”) and “employment practices liability” (“EPL”) coverage. Insurers often package both coverages into a single “management liability” policy. D&O policies insure directors, officers, and sometimes the company for corporate-related “wrongful acts.” EPL insurance generally covers the company and executives for employees’ discrimination, harassment, and retaliation claims.
Although this coverage will require a greater premium investment, it will help to demonstrate the company’s sophistication and responsible risk management practices to investors. In fact, many investors expect and require D&O insurance, particularly if the investor (or a representative) will join the board of directors. Moreover, if the company’s goal is to be acquired, it should consider purchasing D&O insurance years in advance. With an existing D&O policy in place, the company should be able to purchase “tail coverage,” i.e., coverage for claims asserted after the acquisition for alleged conduct that took place before the acquisition. Companies that wait until the eve of acquisition face limited options: most insurers are not incentivized to insure risks when little premium has been collected, the company is “on the block,” and there is a limited (or no) track record with respect to claims risk.
Consider Cyber Insurance. With constant reports of hacking and stolen personal and confidential data, tech companies also should consider cyber insurance in their risk management plan. The losses that stem from a data breach vary and can be expensive including lawsuits, regulatory fines, credit card company “fines,” notification costs, lost data, lost profits, cyber extortion, and reputational harm. Cyber insurance may cover these risks but not all cyber policies are the same. Cyber policy forms must be carefully reviewed and tailored to address the company’s specific risks.
Once the company decides to purchase insurance coverage, there are a few common pitfalls that should be avoided to maximize coverage.
Specialized Brokers. Cyber and D&O insurance policies, in particular, are complex. Dozens of policy forms exist, each with dozens of defined terms (i.e., the fine print) that describes the coverage provided. And the scope of coverage provided can change year over year. There are insurance brokers who specialize in the placement of these types of policies. Companies should evaluate whether their current broker has the expertise to place these policies or whether a specialist is needed.
Beware of Professional Services Exclusions. D&O insurers often try to add “professional services” exclusions in their policies. These exclusions can undercut coverage by excluding all of the insured’s operations or vaguely excluding “professional services,” which is not defined in the policy. Insist on the removal of this exclusion. And if it must remain, narrow it as much as possible. The company may also need to explore a standalone professional liability (aka errors & omissions) policy to fill any gap that remains.
Prompt and Timely Notice. Insurance policies contain strict notice requirements that courts can, and do, enforce. Providing late notice of a claim can be fatal to coverage. Notice requirements are typically triggered by receipt of a “Claim,” which policies define as more than just a lawsuit. “Claim” can also include a letter threatening legal action, a request to mediate, or a tolling agreement. As a best practice, companies should have a procedure in place that requires all employees to transmit all threats of legal action to a designated corporate officer to determine if the threat is a “Claim” that must be reported to the insurer. In addition, companies should modify the notice requirements of the insurance policy so that the notice obligation does not arise until a C level executive has knowledge of the Claim.
Lynda A. Bennett, Esq.
Chair, Insurance Recovery Practice
Lowenstein Sandler LLP