Tech E&O insurance, cyber security/ data breach insurance, Electronic Data Processing Insurance or Digital Asset Insurance: Which insurance will meet all the needs of your technology business?
This article assumes that a technology company will normally already have basic commercial general liability insurance coverage and business property insurance or a business owner’s package with or without excess or umbrella insurance. These fundamental types of commercial insurance, while critically necessary, do not provide protection for everything due to exclusions contained in the policy and/or terminology and verbiage used in the insurance contract. More than one type of insurance which is essential for tech companies are still lacking. For instance, Commercial General Liability sometimes covers damages for errors and omissions due to the failure of a product IF you have a tangible property loss, but most times it does not as there is no tangible property loss. Another example is Umbrella insurance while desirable, often excludes any E&O coverage totally. You still want to have an umbrella which adds higher limits of coverage to other types of insurance your company carries. The real answer to which insurance will meet all of your tech companies needs is most likely “none of the above” but insurance policies can be combined to give you the maximum coverage possible.
So the tech company may need just one additional policy, or several more types of or stand-alone insurance policies to address risks which are foreseeable in the tech industry. The two most well know types are cyber insurance/ data breach and professional liability or E&O Insurance. Other types you may need would include are Electronic Data Processing and/or Digital Asset Insurance. New products are emerging to meet the needs of technology and others may be added in the near future. Technology insurance is not yet standardized. Adding one or more of the types of coverage which are available now will add layers of protection to your existing insurance and can provide full protection for every conceivable risk when they are fitted together like pieces of a puzzle to solve the insurance quandary faced by your company specifically.
Small to midsize technology company’s face rapidly evolving roles and ever changing work climates on a routine basis. In fact, it is very difficult to find a consensus on a singular definition for a “tech company”.
Insurance coverage for the technology industry is best selected by the role or the function of the company. There are tremendous variances in “tech” companies and how they operate and what they do. If you are a technology company you could be a computer information technology company, a data storage company, a data management technology company or a computer technology company which manufactures computers or designs computer systems, or writes computer codes for certain industries; or builds operating systems for all types of products including tech gadget or apps. The company could even provide all of these services. Any and all of the companies described above, along with hundreds of others, can be classified as a technology company. But the functions performed by the company are the key to knowing what actions you need to have insured.
The demands for diverse types of technology fosters the vast species of tech companies and leads to varying claims against tech companies which usually arise due to either the failure of the product provided by, or the services performed by the “technology “company, or both. So the owner must determine what specific coverage is tailored to protect the company’s products or performance from liability by thoroughly examining what insurance is available for this industry and what exactly does the insurance policy cover.
In most businesses or professions, Professional Liability or E&O (Errors and Omissions) is a critical need. Technology is no exception. In the technology vernacular this is most frequently referred to as a Tech E&O policy. Let’s say that your tech company “Best Tech Company Ever” designed a computer system for a client and selected ,but did not manufacture the components, and now manages and stores the data produced from the computer system and analyzes the raw data and provides analytic data to the client. Undoubtedly, Best Ever Tech Company needs to be fully covered for errors and omissions on the part of employees and owners. Tech E & O provides wide coverage for a host of services including data hosting, data processing, computer systems analysis, network management services and software programming. “5 Insurance Issues to consider in Tech Transactions,” http://blogs.orrick.com/insurance/authorD.Teshima
The BETC Company needs errors and omissions insurance with coverage for computer systems design, computer analytics, data management and data storage coverage. Tech E& O would cover all of these provisions as negligent acts. However, E&O does not include intentional acts or torts so you still need another layer of protection.
BETC doesn’t need E&O coverage for manufacturing the system or the components, (products liability) but does need coverage for design of the computer system if it does not work as anticipated, either due to the parts or software not being compatible or other inherent flaws. The company could possibly need coverage for loss to the client’s income if the computer design of the new system caused the product not to work in the intended fashion. BETC also needs to be insured for its advice and recommendations on what components to purchase to make the system run efficiently, coverage for the result of their data analysis, if incorrect, or the system is unable to perform comprehensive analysis, and coverage for the data being stored for the client regardless of the methodology used for storage if there is a negligent error which causes a loss of data.
Tech errors and omissions should be sufficient for most employees but the owner needs to investigate whether the policy needs additional cover age for Officers and Directors Errors and Omissions who may not be involved in the technology side of the business. This could be added by an endorsement or a rider to the BOP or Tech errors and Omissions.
Cyber Security is also advised for BETC. Cyber security differs from E&O. Cyber security covers network security failure and breach of data which are not the result of an employee’s negligent error such as an accidental error, but rather a direct act or attack usually by a hacker which can be accompanied by a demand for ransom. Cyber security also covers an employee’s actions if intentional or fraudulent, rather than an error. Cyber security is very complex and there are various ways to structure a policy. ISO has not yet issued a standard form for use. There are numerous questions to consider and the owner should conduct a thorough risk analysis with his agent before deciding upon cyber security insurance policy. Some of these are:
- Does it cover both 3rd party liabilities for your client’s breach of their privacy and first party coverage for you the insured?
- Does the triggering event language limit to an intentional breach or is it triggered by any failure to protect data by the insured which is preferable
- Is there coverage if the insured fails to disclose the breach
- What event triggers the duty to defend? A liberal approach would be if a request for information is the trigger while the most restrictive is the actual filing of a law suit as trigger. You would want to have the earliest trigger possible
- Are civil fines and penalties covered
- Are notification costs covered? There is a wide variance in what cost are covered which varies according to each individual state. Does the coverage limit you to using vendors for notification which are picked by the insurance carrier?
- Most importantly in some case does it cover data loss and the cost to regain the data?
- Another major factor for consideration is does the policy exclude acts of terrorism or war. If excluded then be very wary and make sure that the policy clearly states that extortion, using ransom-ware or doxware and/or security breaches are not excluded under this clause.
As each technology company is unique the above list is representative only and not exhaustive. For a more in depth discussion see: “Analyzing Cyber Risk Coverage, http://http;//riskandinsurance.com/author/steve-raptis
In the past, coverage for computer equipment was based on business property insurance, however it often excluded losses caused by computer viruses or hacking which newer Cyber insurance policies now cover. Separate and apart from cyber security issues, Electronic Data Processing Insurance developed simultaneously and was designed to specifically address computer operations. EDP insurance covers computer equipment, Media Data and Data Recovery. It is meant to cover break down of the equipment and resulting losses from inability to process the data. Another method is to add an enhanced super stretch such as those offered by the Hartford to a BOP, which can cover computer hardware and software as well as damages to the equipment from changes in temperature. A change in temperature can be a major issue when large heat producing computers become damaged after a loss of power or equipment failure which then causes the heat to rise further: or can cause a sprinkler system to activate ruining the equipment.
There is also Digital Asset Insurance policies which are not as widely known. Historically, digital loss was covered by a clause in an existing cyber security policy which assigned a very low indemnity value to the digital assets and generally covered damages from natural disasters only. New solutions have been developed to go hand in glove with cyber security, or property insurance. The value of the lost digital asset can be set at the time coverage is bound and the asset can be insured for up to millions of dollars. The value is set by the underwriter and assigned an indemnity value based on actual value or the data which is lost. It also features insurer approved back up and data management and can be purchased even whether the data is on the premises in a data server center or a cloud applications
Technology companies are at high risk of loss due to proliferation of new technologies and the correlating data and information produced. These businesses are changing the insurance world’s appetite for risk, steering away from natural disasters, and focusing on processes guided by humans and products developed by humans with the aid of data and data processing. In short technology companies are entering uncharted ground and will blaze a new navigational chart for insurance providers and carrier as they proceed along their course. Careful insurance planning is critical to the company’s health so they are not blown off their course due to loss of data from error, theft, mistake or any other event.