Averill Dickson, Partner at law firm Simmonds Stewart, takes time out with Delta Insurance General Manager Craig Kirk to discuss the finer points of liability insurance in the tech sector. Some excerpts from the Simmonds Stewart blog follow.
When should a start-up look to take out insurance?
Insurance is often a grudge purchase – even more so for tech entrepreneurs used to risk-taking. But, if used properly, it can help founders and directors sleep easy and focus on what matters most – growing their business. If you haven’t already got insurance, the times that you’ll need to think seriously about your insurance arrangements are when:
– you sign a major customer. Customers often require a range of insurances to be put in place, e.g. Professional Indemnity (Errors & Omissions) and Public/Products Liability insurance. For IT contracts, Cyber Liability insurance may be required too
– an independent director is appointed – they often want some element of protection
– you start doing business overseas. In some countries, the liability risks can be higher than doing business in New Zealand. This is because certain countries tend to be more litigious (e.g., as a crude rule of thumb, Australia is 25-50% more litigious than NZ, and the United States is twice as litigious) and there is additional exposure to liability for personal injury overseas (in New Zealand, due to the accident compensation (ACC) scheme, people who have suffered personal injury have only limited rights to sue an at-fault party)
– you are raising capital. If structured correctly, insurance can protect directors from allegations of misrepresentation in IMs or offer documents.
What’s the most common policy for tech businesses?
Professional Indemnity (Errors & Omissions) and Public/Products Liability insurance are the go-to policies for tech businesses. These are often packaged as a comprehensive Technology Liabilitypolicy, which is tailor-made for the tech sector.
What do these policies protect against?
Professional Indemnity insurance provides cover against errors and omissions made when providing services, e.g.: errors in software code developed for a customer, errors in website design, errors or omissions in a SaaS offering, data hosting failure, loss of customer data.
Public/Products Liability insurance provides cover against liabilities arising from personal injury or property damage caused when providing services or products, e.g.: damage to premises, equipment or stock while working onsite at a customer’s premises, damage to property caused by an electrical fault in a product, when products are sold outside New Zealand, personal injury caused by a fault in a product
Are there any other policies tech businesses should think about?
Directors & Officers Liability insurance protects the company and its personnel against liability arising from actions taken by directors and officers on the company’s behalf (so long as they claim in their capacity as directors & officers). This could happen if an action is brought against the directors for breach of their director duties. The insurance also protects against personal exposure to damages, claims or investigations by a range of stakeholders, including shareholders, creditors, employees, or regulators (such as the Financial Markets Authority).
Cyber Liability insurance protects against the costs arising from data breach incidents, malicious attacks, and the loss or theft of third party data. Claim examples include private user data leaks or a DDoS attack causing shut down of a site. This insurance has some cross-over with Technology Liability insurance, as a good Technology Liability policy should cover you for liability to third parties arising from these types of events.
However, the Cyber Liability insurance includes cover for internal costs incurred as a result of a data breach or malicious attack (which will not be covered by the Technology Liability policy). Examples of these costs are: the costs of engaging cyber security experts to get your business back up and running, data restoration costs, public relations costs and the financial cost of the business interruption (loss of revenue).
Many tech companies also purchase Statutory Liability insurance which covers a business if it is prosecuted under certain statutes, such as the Fair Trading Act 1986 or the Health and Safety at Work Act 2015. Cover includes defence costs, investigation costs, statutory reparation and statutory fines where these are insurable by law.
Does insurance vary for different tech businesses?
There is no one size fits all approach in the tech space as companies, business activities, and risks vary greatly. Cover which works well for one part of the sector may not do the same in others. You should tailor your insurance policies to your specific line of business. E.g.:
– a tech consulting or software/SaaS company will focus on Professional Indemnity (Errors & Omissions) cover
– a hardware manufacturer will be concerned about product liability risk
– SaaS providers, data hosting companies, and website hosting companies may want to insure against first party costs (including business interruption costs) associated with cyber breaches and attacks.
What should you do when you make a claim?
Notifying your insurer is key – most liability insurance policies require this. You should provide notice even if your customer has simply signalled that they are not happy and may sue, but has not made a formal claim. Your first port of call should be your insurance broker (if you have one). They can assist with making a claim and managing your communications with the insurer. When in doubt, it is better to notify of an issue – a disclosure of a potential dispute that does not result in a claim will generally not affect your premiums. However, failing to disclose a possible claim may provide the insurer with the right to decline your claim or only pay a proportion of it. Another good reason to notify early is that insurers are skilled at handling legal disputes. Involving the insurer early may lead to a quicker resolution of the issue.
Does Technology Liability insurance protect against all contractual liability to customers?
Broadly speaking, Technology Liability policies cover liabilities arising out of contractual obligations agreed to by a tech service provider. But this kind of insurance is intended to provide cover for obligations which exist at common law (e.g. that the insured party will use reasonable care and skill), not additional obligations to which a supplier may agree. As a result, these policies usually exclude any assumed liability. In short, if you promise to deliver to a higher standard than the common law standard, or to assume liability for losses in addition to those for which you would’ve been liable at common law (e.g. indirect losses), you will not have cover for those promises or additional losses.
Customers sometimes ask suppliers to name the customer as an insured party under the policy – what are the implications of this?
Whether this can be done will depend on the policy. Most Product/Public liability insurance automatically includes cover for the principal (i.e. the customer) to the extent that the principal is vicariously liable for the supplier’s work.
Professional Indemnity policies operate differently. Often, the policy is triggered by a customer (i.e. the principal) bringing a claim against the supplier for damages arising out of alleged negligence by the supplier. Insurance policies usually exclude cover where one insured is suing another insured. This means that if a customer is named as a joint insured, they will have no cover under the policy for customer claims against the supplier.
What should a tech business look for when choosing an insurance broker or insurer?
It is important to choose both an insurer and broker that understands the nature of tech companies and the risks that they are exposed to. Also, the quality of insurers and their willingness to pay claims varies a lot. Having an experienced insurance broker means a greater likelihood of the insurance being placed correctly in the first place with an insurer that understands the risks and provides the necessary cover.
Businesses should also review insurance partners as they grow and evolve, including when they start operating in overseas countries. E.g., if you expand to the United States, you want to ensure your broker understands US insurance issues and the insurer is properly represented in that country.
What are some of the things that insurers look for when underwriting a tech company?
Underwriting focuses on a risk assessment of the company. This, in turn, influences the premiums and the insurance terms and conditions offered. Key factors that an underwriter will consider when assessing a company’s risk include:
– the company’s size (larger generally means more risk because of more customers and more services being offered, but it can also mean an increased quality of risk management)
– the jurisdictions in which the company trades
– the nature of the services or products being offered (some products or services are inherently riskier than others)
– the nature of the customer base (some customers, e.g. financial institutions, are riskier than others as they may be more litigious)
– the quality of contract management (how does the business manage its contractual liabilities?)
– the quality of processes for protecting the company’s position on key issues like product testing and intellectual property
– the quality of cyber security controls and procedures.
Ultimately, insurers are open to businesses who are aware of, and proactive about, managing risk. This limits the likelihood of litigation arising, meaning businesses will be well-positioned to negotiate good insurance terms and conditions.