Insurance Coverage Info - Business Enablement

There are five main types of insurance policies that a growth-stage SaaS company should consider carrying.

  • Technology Errors & Omissions (E&O) Insurance

  • Cyber Liability Insurance

  • Directors & Officers Insurance (D&O)

  • Employment Practices Liability Insurance (EPLI)

  • General Liability/Property Insurance

Technology Errors and Omissions Insurance

Technology Errors and Omissions Insurance, also referred to as Professional Liability or E&O, is a form of liability coverage that protects businesses that provide or sell technology services and products. This coverage prevents businesses from bearing the full cost of defending against a negligence claim made by a client, and damages awarded in a civil lawsuit. This can include businesses that sell and service computer products, but it can also include graphic designers and advertising agencies that create digital content that can harm a company’s reputation. It covers computer programmers who may create faulty code for a website that causes that business to mail products to the wrong addresses. 

This policy, also known as Professional Liability Insurance, offers protection from lawsuits alleging you were negligent in your duties as part of any ongoing professional relationships. If someone – for instance a vendor with whom you contract or a customer bound by an end-user agreement – issues you for failing to uphold your end of the bargain, this policy will kick in to provide defense costs. Think of it as malpractice insurance for tech firms.

Of the types of insurance to consider, from our perspective, this is the most important one, as most of a SaaS company’s operations, and therefore potential business risks, lie in serving customers.

Risk assessment:

The most common factor for E&O risks in annual revenue. Underwriters feel that the more business you are conducting, the greater the exposure for a Professional Liability suit, and revenue level is the best proxy.

Identify risk coverage:

The best proxy for how much coverage to carry, like the underwriter’s risk assessment, is revenue level. It’s recommended that a company carry between $500k and $1 million in E&O coverage for every $5 million in revenue, dependent on the average contract value of your contracts, contract value and revenue concentration of your largest customer(s), and any specific risks in your customer or vendor contracts.

Cyber Liability Insurance

Cyber and privacy insurance is often confused with technology errors and omissions (tech E&O) insurance. In contrast to cyber and privacy insurance, tech E&O coverage is intended to protect providers of technology products and services, such as computer software and hardware manufacturers, website designers, and firms that store corporate data on an off-site basis. Nevertheless, tech E&O insurance policies do contain a number of the same insuring agreements as cyber and privacy policies.

This insuring agreement covers the insured's liability for damages resulting from a data breach. Such liability most often results from 

  1. Loss, theft, or unauthorized disclosure of personally identifiable information (PII) in the insured's care, custody, and control.

  2. Damage to data stored in the insured's computer systems belonging to a third party.

  3. Transmission of malicious code or denial of service to a third party's computer system; 

  4. Failure to timely disclose a data breach.

  5. Failure of the insured to comply with its privacy policy prohibiting disclosure or sharing of PII.

  6. Failure to administer an identity theft program required by governmental regulation or to take necessary actions to prevent identity theft. In addition, this insuring agreement covers the cost of defending claims associated with each of these circumstances.

The information security and privacy liability insurance agreement is the true liability coverage component of a cyber and privacy insurance policy because it pays actual liability losses sustained from claims made against the insured by various parties. In contrast, the privacy notification and crisis management expense coverage insuring agreement addresses the so-called immediate response costs associated with a data breach, making payments on a "no-fault" basis and without admission of liability.

a type of insurance designed to cover consumers of technology services or products. More specifically, the policies are intended to cover a variety of both liability and property losses that may result when a business engages in various electronic activities, such as selling on the Internet or collecting data within its internal electronic network.

Most notably, but not exclusively, cyber and privacy policies cover a business' liability for a data breach in which the firm's customers' personal information, such as Social Security or credit card numbers, is exposed or stolen by a hacker or other criminal who has gained access to the firm's electronic network. The policies cover a variety of expenses associated with data breaches, including notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft.

In addition, the policies cover liability arising from the website media content, as well as property exposures from (a) business interruption, (b) data loss/destruction, (c) computer fraud, (d) funds transfer loss, and (e) cyber extortion - ransomware.

Cyber Liability Insurance

This policy fills in the computer and internet-related gaps left by other policies. Its purpose is to pay for defense costs from data breach litigation as well as some of the other expenses associated with cyber attacks.

These include:

  • The costs of notifying your customers and providing credit monitoring for them.

  • The costs incurred after a hacker uses your system as a conduit to access a third party’s system and you are sued as a result.

  • The costs of a business interruption after a cyber-attack lock up your systems.

  • The costs of a forensic investigation into the source of the breach.

Hacking is something for all companies to be aware of in today’s day and age, but SaaS Capital only works with B2B companies, so this type of insurance is less necessary for them than for B2C companies that manage consumer data.  An exception would be if your product handles your customers’ customers’ data.

How is risk assessed?

The most common factors in cyber liability ratings are the number of personally identifiable information (PII), and personal health information (PHI) records stored on your system, as well as overall company revenue. While PII & PHI are the driving force, revenue is again a proxy for the size of the business and the potential size of the claim. So, again, as a B2B company, and depending on what your product does, you may feel that the risk or cost of a hack is so minimal as not to require this type of insurance.

How much coverage should you carry?

If you attain and store consumers’ personal information, it is recommended that you carry $500k to $1 million in Cyber coverage, but sometimes can be further dictated by customer or vendor contracts. Another useful benchmark is that the average cost to recover one person’s compromised records is $4.  This can be used to determine how much coverage to carry if your company manages PII and PHI records. Another useful data point is that according to one insurer, cyber claims average between $400-500k in total expenses.

 Directors & Officers Insurance (D&O)

D&O insurance covers damages levied against executives personally if the company is not able to indemnify them and they are specifically named in a lawsuit or regulatory action. It’s most often carried out as a way for management to be insured against damages from being sued by investors.

Some common claims include:

Claims made against Management by investors (e.g. breach of fiduciary duty)

Securities-related claims (e.g. misrepresentation, improper valuation)

Claims from competitors (e.g. theft of trade secrets, tortious interference, unfair competition)

Claims from vendors, other counterparties (e.g. fraud, misrepresentation)

How is risk assessed?

The most common and relevant factor underwriters consider when underwriting D&O Policies is the financial strength of the company. You should be prepared to share financial statements and vendor and customer contracts as part of any corporate insurance underwriting process, but especially for D&O insurance. In the case of D&O insurance, underwriters will focus on the burn rate, runway, and financial responsibility of the company.

How much coverage should I carry?

Since this is typically covering executives of venture-backed companies, the first test for whether you even need D&O insurance is whether or not you’ve raised a bonafide venture round. If not, you may choose not to carry D&O insurance. If so, then the best proxy for how much insurance to carry is based on the amount of capital you’ve raised. It’s recommended to carry $500k to $1M in D&O coverage for every ~$5 million raised.