Better Insurance Through Generations Of Experience & Personal Attention

Guides & Whitepapers

• D&O Insurance Guide, Checklist and 2026 Trends

  Directors and officers insurance is actually a bit of a misleading name. D&O is very similar to errors and omissions insurance, however instead of covering professional service failures, it covers alleged mismanagement by both the company, and it’s executives. Only one third of a D&O policy (Side A Insurance) truly protect the corporate officers. The remaining two thirds of a D&O policy (Side B and C) actually protect the company itself by protecting its balance sheet, covering claims made against the entity itself, and paying indemnifiable claims against brought against its executives, that would otherwise have to be paid by the company. For a more in depth explanation of the ABC’s of D&O, please see our recent insight here.

  Corporate officers will be operating in a particularly challenging environment heading into 2026. Economic instability, tariffs, inflation and the emergence of artificial intelligence are creating a multi-faceted risk environment creating a number of unpredictable challenges. Before addressing some of the policy coverages and providing recommendations when reviewing policy terms, it’s important to understand the current risk landscape.
   

  Emerging Risks for 2026
   

  Artificial Intelligence: According to recent statistics, well over half of all US companies have implemented AI for one or more operational processes, within their organization. Errors in models, hallucinations, bias (including price discrimination), discrimination (when using AI to make employment decisions), mis-representing the capabilities of AI, failing to disclose the use of AI within an organization, and unlawfully collecting data are just a few types of claims that can trigger shareholder litigation. Executives also face the added risk of regulatory enforcement and fines resulting from compliance failures. The current AI regulatory environment is a dizzying patchwork of emerging regulations passed at the state level (each differing considerably) and amendments to existing discrimination and privacy laws (among others). According to IAPP’s regulation tracker, as of today there are nearly 2 dozen regulations on the docket. Further complicating matters, few insurers, attorneys and/or insurance brokers understand the risks associated with AI and how existing insurance policy language may (or may not) respond. In response to these concerns, some carriers are slowly beginning to implement extremely broad AI exclusions, eliminating coverage for any claims in any way related to the usage of Artificial systems.

  Tariffs and Inflation: Tariffs and inflation are regularly cited as one of the most significant concerns among the c-suite heading into 2026. In addition to any increased manufacturing and procurement costs which can reduce profits, customers/clients may also reduce spending or seek alternative solutions, resulting in lost clientele. Companies that fail to adequately disclose their exposure to the risks posed by the tariffs and inflation, or those that fail to properly plan may further attract investor litigation. This can lead to some companies implementing “questionable” accounting practices which can attract shareholder claims. Additionally, concerns over the financial effects of tariffs and inflation can result in decreased investor activity creating challenges in raising additional capital.

  Economic Uncertainty and Increased Insolvencies: According to Cornerstone Research, mega bankruptcies increased significantly in 2025 and S&P Global also reported a very active first half of 2025 - and the effects of tariffs and inflation are still to be fully felt. In response to economic uncertainty, companies would be wise to plan for a worst case scenario, ensuring their D&O programs are properly structured for downturns, mass layoffs, creditor claims and any potential insolvencies – emphasizing the importance of an adequate layer of Side A DIC. 

  Litigation Involving Product Failures and False Advertising: There appears to be a surge in litigation against consumer product companies, alleging product failures and misrepresentations, resulting in significant defense costs and potentially large settlements. Similarly, there has also been a continued increase in litigation (including regulatory actions and class actions) alleging false advertising and deceptive pricing. As a result, some carriers are beginning tightening terms pertaining to their product defect, false advertising and deceptive trade practice exclusions. 

  Continued Cyber and Privacy Litigation: The number of data breach and privacy related lawsuits is at an all time high. According to IAPP, the number of privacy litigation cases filed annually has increased regularly year over year, nearly doubling since 2020 and is continuing its steady climb. As a result, the potential for follow-on shareholder claims and derivative actions are also more likely now than ever.  

  Emerging Employment Litigation: In a more welcomed trend for corporate officers, EEOC enforcement decreased significantly in 2025. There are however some newer trends increasing liability. Pay transparency laws are emerging, as is the potential for discrimination lawsuits stemming from suspected bias in AI models used to make employment decisions, and claims alleging discriminatory pricing practices (which could potentially be covered under the 3rd party insuring agreement within an EPLI policy). Many state lawmakers have been addressing with newly passed/proposed legislation.

  Cross Border Risks: It’s not uncommon for tech companies to begin operations in a foreign country (possibly with a US holding co), only to later expand to the US as their product matures. In some cases, these foreign entities may have coverage placed in their local country, which is believed to extend adequate protection for their US subsidiary, which is often not the case. In addition to being drafted according to local law (which can create coverage gaps), foreign policies may also contain problematic “choice of law” clauses, or even exclude suits brought in the US altogether which is not uncommon. Relying on such foreign placed coverage, which is often inadequate, can also result in risk to any US based PE/VC firms as well, in the form of “alter ego” and “control person” liability.
   

  Coverage Considerations
   

  • When D&O is purchased alongside other coverages, such as EPLI, crime or fiduciary liability, are policy limits shared or dedicated?
  • Has the organization properly covered all entities for whom coverage is intended? This would include any subsidiaries, foreign entities (that may require separate locally placed coverage), former entity names (if there have been any name changes), advisory board members, etc. 
  • Does the policy provide 100% defense cost allocation?
  • Does the policy provide for an advancement of defense costs if the company wrongfully refuses to provide indemnification?
  • Does the policy contain a carve-back for capital raised under the JOBS Act? Where some carriers explicitly provide full coverage, some contain sub-limited coverage and yet others only agree to provide a quote should such capital be raised under the act. 
  • Does the policy contain a problematic majority shareholder exclusion? Most carriers will exclude coverage for claims brought by any shareholders with over 10% equity with some carriers going as low as 5%. However some carriers contain no such exclusions and almost all carriers will agree to remove a majority shareholder exclusion, should any/all individuals meeting such ownership thresholds have board representation. In such cases, most claims involving infighting would still be excluded by the "insured vs insured" exclusion, however, since the "I vs I" exclusion does contain carvebacks, this would still provide more favorable terms. 
  • Is coverage included for books and records costs (associated with derivative actions) - an enhancement more carriers today are willing to provide.
  • Is the policy's coverage for entity related investigations broad? Or does it require a "wrongful act" or naming of an insured person (which both often only occur during "formal" investigations).
  • Does the policy contain an anti-trust or false advertising exclusion? Many carriers have begun to soften and/or remove such exclusions. 
  • Has the policy replaced its "insured vs insured" exclusion with the more favored "entity vs insured" exclusion (which could preserve coverage for some claims involving infighting)
  • Are the policy's professional services and contractual exclusions overly broad or have they been appropriately narrowed (to preserve coverage for claims brought by shareholders and non indemnifiable claims against individual directors and officers)?
  • Does the policy contain any explicit AI exclusions? 
  • Has the organization incorporated any Side A DIC insurance?
     

  What's Excluded?
   

  While exclusions can vary significantly from carrier to carrier, most policies contain exclusions for the following claims (among others):

  Infighting: Many D&O policies contain “insured vs insured” exclusions that are intended to preclude coverage for infighting. There are however exceptions to this exclusion – most policies will carve back derivative claims, cross claims, claims brought by directors that have not served for 1-2 years, claims brought during insolvency, and claims brought by whistleblowers. Additionally some policies have since updated their forms to contain a more narrow “entity vs insured” exclusion, which is more favorable to policyholders.

  Professional Service Failures: Claims related to, or arising from professional service failures are almost always excluded, as they rightfully belong insured under an appropriate E&O policy. The problem however, is that many service exclusions over-reach and can ultimately preclude coverage for claims that should be covered, such as those brought by shareholders, and non-indemnifiable claims against insured persons.

  Contract Disputes: Similarly almost all policies contain exclusions for contractual liabilities, as these are considered business risks within the insured’s control.  Such exclusions can however suffer from the same over-reach we discussed above. Since so many corporate acts rely on contracts, it’s extremely important to ensure any D&O policy secured contains appropriate carvebacks, otherwise it can act as a blanket exclusion precluding coverage for a wide range of claims.

  Illegal Conduct: Fraud, willful violations of law, and claims alleging illegally gained profit are always excluded if determined by a final adjudication. Almost all D&O policies will however fund the defense until such a ruling is made. When reviewing coverage, it’s also important to ensure the conduct exclusion contains appropriate severability language, preserving coverage for innocent/unaware insureds.  
   

  FAQ
   

  How Much Does Coverage Cost? Policies cost less than many might assume. The beginning annual premiums for a 1 Mill policy are as follows: 1,500 per year for non-profits, 3,000 for small private companies, 30k for small public companies and upwards of 100k plus for larger or higher risk organizations.

  Aren't I protected by The Corporate Veil and my Corporate Indemnification Agreement? Corporate veils do protect companies, to a certain extent. But court rulings can be unpredictable, and in certain situations corporate status can be bypassed effectively exposing the directors and officers’ personal assets. Claims asserting fraud, claims asserted by creditors that suffered from “gross under-capitalization”, and claims related to the commingling of assets are all examples of claims that can result in a piercing of the corporate veil. Companies that are "closely held" are also more likely to encounter such claims. While corporate indemnification is the first line of defense, that protection can still fail. Corporate officers may fall out of favor with the company, resulting in the company (wrongfully) refusing to provide indemnification, or, the company may become insolvent legally prohibited from providing indemnification (as in the case of a derivative settlement, in most states).

  Does A Personal Umbrella Cover Me? Simply put, no, they don’t.

  Am I Protected by the Business Judgement Rule? The business judgement rule has long provided a certain layer of protection to officers when making business decisions. However, many recent court cases indicate that the business judgement rule does not provide the same level of protection that it had years ago.

   

   

   

   

  , basic_html
  More on this insight

• 2026 Cyber Insurance Guide, Checklist & Risk Trends

  With cyber risk continuously ranking as one of the c-suite's top concerns, it’s difficult to address organizational risk management without discussing cyber insurance. Today's modern cyber policies have greatly evolved from the products of 5-10 years ago. Many policies now provide very broad protection against a wide range of risks including; emerging privacy litigation, ransomware, e-crimes, media liability, data breaches, crypto-jacking, and even emerging AI exposures. One of the biggest benefits of cyber insurance policies however, is the response they provide – attacks can be disorienting, creating considerable confusion, urgency and reputational damage. Cyber insurance effectively provides a team of panel experts who are immediately accessible and ready to respond. Before discussing the basic cyber insuring agreements and providing recommendations when reviewing policy terms, it’s important to understand the current risk landscape.
   

  2026 CYBER RISK TRENDS
   

  Increasing Privacy and Data-Breach Litigation: The number of lawsuits (including class action lawsuits) being brought against companies, following privacy incidents and data breaches, has been steadily increasing. A recent report by IAPP indicates the number of annual cases filed has almost doubled since 2020. This is likely being driven by more effective strategies by plaintiff’s firms improving their pleadings, stricter data protection laws, and courts becoming more willing to hear privacy cases.

  Emerging Artificial Intelligence Risks: Cyber risk has evolved tremendously over the past few years. One of the most recent developments is the use of artificial intelligence by threat actors who are now using AI to assist with their ransomware attacks and negotiate ransom demands, and to spoof high level executives into making fraudulent transfers. It is also being reported that some threat actors are using AI bots to create fictitious Linkedin accounts and applying (and being accepted) for remote positions. Artificial intelligence has also resulted in increased media liability, as organizations use AI for artificial generated content, which can result in copyright and trademark claims. Some recent regulations, as discussed below now appear aimed at; requiring proper disclosures related to AI generated content and AI collected data, and providing AI whistleblower protections. Insurers have had mixed responses to the emerging risks posed by artificial intelligence. Some carriers are adding explicit endorsements affirming coverage for certain claims such as AI spoofing, whereas others are remaining silent. Additionally, some carriers are beginning to add specific AI exclusions to their media liability insuring clause, precluding coverage for AI generated media.

  Continued Supply Chain Attacks: Supply chain attacks, targeting larger third party vendors, have proven to be an effective method for hackers looking to infiltrate systems and access data on a much wider scale. A single successful attack on a larger software or service provider can flow downstream affecting an extremely large network of users. According to Cyble’s recent report, such supply chain attacks have doubled since 2024. These incidents will likely increase as a result of AI – with more and more companies begin implementing 3rd party AI solutions, malicious actors will have a wider net of providers to target. In response, policyholders should be on the lookout for “widespread event” exclusions (as discussed below) which some insurers are beginning to attach to their policies.

  Increasing Media Risk Via Influencers and Social Media: In the context of media liability, the usage of social media and influencers is also creating heightened exposure to claims involving libel, slander and copyright/trademark claims, whose damages may be covered (or partially covered) by the media agreement within a cyber policy. Malicious actors are also knowingly leveraging social media to assist with their attacks. Such platforms may be used to gather information, build trust, or as a weak entry point to gain other credentials. Again, carriers remain mixed with their responses, with some insurers attaching explicit exclusions (particularly to their media liability coverage portion), with others including endorsements confirming coverage for media posted on social platforms.  

  Continued Biometric Claims: The protection of biometric data (such as fingerprints, and facial recognition) has become of particular importance since Illinois’ passage of BIPA (biometric information privacy act), with Texas and Washington passing similar statutes. Organizations that possess any biometric data such as user’s facial recognitions, or employees’ fingerprints need to be aware of the potential damages involved with failing to protect such data – accordingly the c-suite should perform careful cyber policy reviews, as coverage for such violations may be precluded.

  VPN's are Becoming High Risk: Many cyber insurers are reporting that VPNs are becoming the greatest vector for ransomware attacks, with Cisco and Citrix products being among the riskiest. 

  New and Emerging Data Collection Claims: Data collection claims can generally be grouped into a few categories. Pixel tracking claims being the primary driver, have ballooned over the past few years. Driven by a handful of plaintiffs and plaintiff firms. These claims allege an organization’s use of “pixel tracking” (collecting small bits of user data) is in violation of wiretapping laws and other regulations. In some cases, organizations may not even be aware that such data is being collected, as plugins may have been installed by hired marketing companies. In addition to pixel tracking claims however, litigation is also arising over “session replay” plugins (capturing a user’s session when visiting a website), email tracking plugins, and data collected by chatbots. Lastly, there are increasing concerns over data potentially being collected by AI providers – data which could then be used to further train AI models. Some recent regulations appear aimed at proper disclosures requiring opt in / opt out protocols for the collection of such data. These emerging regulations will increase the need for strong regulatory coverage within insurance policies. Policyholders should also carefully check their policies for any data collection, wiretapping and/or pixel tracking exclusions which are becoming increasingly more common.

  Increasing Insider Threats: Insider threats appear to be increasing, driven by; outsourcing, continued remote work arrangements, and usage of outside contractors. Such incidents are also likely to increase following any economic downturns and/or AI-driven layoffs.
   

  Moving onto policy coverage terms, below we'll begin with the basic insuring agreements, followed by some recommendations for policyholders and counsel when reviewing or placing coverage. For those with an understanding of the basic insuring agreements, please scroll down for a more in depth discussion on recomended coverage terms. 
   

  INSURING AGREEMENTS: THE BASICS
   

  Network Security and Privacy Liability: Almost all businesses transmit, store, or process some form of protected data, whether they realize it or not. In addition to employee data and corporate confidential information, today’s regulations such as CCPA and GDPR maintain very broad definitions of protected information that can range from names and dates of birth to biometric data, to IP addresses. When that data is stolen, accessed or improperly disclosed, this insuring agreement provides coverage for any resulting investigation costs, defense costs, damages, and expenses that arise. It’s important to stress, not all privacy violations stem from data breaches. Employee errors such as lost laptops and/or erroneously emailing a database of protected information would also qualify as an incident. Additionally, many cyber policies can also provide coverage for failing to disclose an incident as well as violations of privacy policies and claims related to improper data collection practices as well.

  Media Liability: A form of coverage for advertising and publishing injury, this agreement provides defense costs and damages for claims asserting wrongful acts such as plagiarism, trademark violations and improper deep linking (among others), while publishing content online and via social media channels. Given the proliferation of AI produced content and concerns over plagiarism and copyright violations, some carriers have however begun to implement exclusions precluding coverage for any media generated by artificial systems.

  Errors and Omissions (E&O): While not included in all cyber policies, some carriers include an E&O insurance component which provides coverage for financial damages sustained by third parties such as clients and customers, when your services fail. Examples might include software failures, errors in providing media and advertising services, and poor work performed by web designers or IT consultants. It is however important to note that E&O coverage differs greatly. Well structured E&O policies should extend coverage to include claims resulting from breach of warranty, breach of contract and/or claims asserting failure to deliver.

  Regulatory Defense and Penalties: This insuring agreement provides coverage for attorney’s fees and costs associated with formal regulatory or administrative investigations. Stronger policies also provide affirmative coverage for any resulting fines or penalties stemming from privacy violations such as those imposed by HIPAA, CCPA and GDPR. These violations and resulting fines can stem from security failures, to improper data collection practices, to deceptive privacy practices, and more. For more information on assessing the regulatory coverage insuring agreement, please see our previously published guide.

  Extortion & Ransomware: Provides coverage for extortion demands resulting from ransomware attacks that might hold an organization’s network, website, data or software “hostage”.

  Data Breach Response Costs: Data breach response coverage provides coverage for the costs involved with performing a required forensic investigation, and any costs involved with notifying affected parties and providing any required identity restoration and/or credit monitoring.

  PCI Coverage: An important coverage for any business accepting credit card payments, PCI insurance provides coverage for fines and penalties arising from violations of PCI DSS requirements such as failing to protect cardholder data or implement proper security controls (firewalls, encrypted transmissions, etc)

  Crisis Management Expenses: Data breaches can inflict significant damage to a company’s reputation. Restoring consumer confidence can be difficult. As a form of reputation insurance, this agreement provides coverage for the organization to hire a PR firm in order to help rebuild the organization’s brand and reputation following a security incident.

  Business Interruption and Data Restoration: Business Interruption (lost income) caused by cyber incidents such as ransomware attacks, is often one of the most significant damages incurred by affected organizations. Lost income is also just one component of financial damages incurred – there are also considerable extra expenses incurred such as payroll and overtime costs, travel costs, temporary relocation costs, and cost incurred with repairing or restoring any corrupted data or damaged networks. This insurance agreement provides coverage for the aforementioned damages. It should be noted, the scope of business interruption coverage can vary greatly from policy to policy. Some policies may limit this coverage only to security incidents, while others will also provide coverage for lost income resulting from a system outage. Additionally, some insurers may limit coverage only to attacks directly affecting the organization’s own networks, while others will extend coverage to incidents that might affect a cloud provider or business service provider. Some carriers are now going a step further to include coverage for "receiver" business income losses, which effectively extends contingent business income coverage allowing coverage to be triggered by any incidents affecting any parties in the insured's upstream supply chain. 

  E-Crime Coverage: E-Crimes come in many shapes and sizes: Computer Fraud (resulting in direct theft of funds), Funds Transfer Fraud (fraudulent instructions sent to a bank), Social Engineering (being duped into making a fraudulent transfer), and Invoice Manipulation (duping an organizations’ customers to make a fraudulent payment). With e-crimes being a leading source of losses for organizations, it’s absolutely critical to ensure all forms of e-crimes are covered, and perform a careful policy review to ensure policy terms are in order.

   

  REVIEWING POLICY TERMS
   

  Cyber insurance policies are extremely complex, fast moving, non-standardized and difficult to understand. To demonstrate their complexity, when drafting our cyber checklist, we have a count on upwards of 40 exclusions, so outlining all of the important terms, endorsements and exclusions is extremely difficult (if even possible) but below are some good basic recommendations:

  Ensure Basic Terms Are In Order: Most policies today have evolved to comply with the below coverage recommendations, however given their importance, it should never be assumed that such terms are already included.

  • Definition of Data: The definition of data is an important consideration. Especially for organizations that work more with corporate information which may be further be protected by corporate confidentiality agreements. Some policies take an extremely narrow stance on defining data, simply as, drivers license information, dates of birth and social security information. Others contain more liberal definitions which include health information and corporate confidential information, and any protected information as defined by CCPA/GDPR or similar statutes. Purchasing a policy with a narrow definition can significantly compromise coverage. All policies provide coverage for digitally stored data, however many companies also may utilize paper files as well, such as applications, tax forms, employee records, health records, etc. Some policies contain exclusions for losses arising from the theft or disclosure of paper records.
  • Definition of Computers and Systems: Most companies rely on third party software in one form or another. Whether it be a cloud provider, SAAS software or compliance program. Security incidents that affect your business service provider or off site computer systems can result in claims against your company. Ranging from lost profits to privacy violations. It can also result in lost business income. Some carriers include within their definitions, coverage for breaches that affect service providers and offsite computer systems while others intentionally preclude such language.
  • Are there Encryption Requirements: While data encryption is a wise recommendation, some companies may choose not to encrypt, or occasionally transmit or store data that is unencrypted. Some policies contain an encryption requirement, precluding coverage for any claims that arise from breaches that affect unencrypted data. As a side note, most cyber insurers will require encryption today and insureds will likely need to confirm such controls are in place when applying for coverage.
  • Are there minimum security standards: Some cyber risk insurance policies contain a condition precedent to coverage, requiring that the organization employ a certain level of security measures. Failure to do so can nullify coverage. Such requirements should be avoided when able.

  Secure Coverage Enhancements: Many carriers today will include a number of coverage enhancements. Among those included are coverage for:

  • Crypto Jacking and Utility Fraud Coverage: Coverage for attacks where malicious actors takeover computer systems solely for the purposes of mining crypto currencies, causing computer systems to run at maximum capacity, resulting in slowdowns and increased utility costs. 
  • Bricking Coverage: Covers the costs to replace any hardware that may be rendered inoperable.
  • Voluntary Shutdowns: Triggers coverage for business income damages for voluntary shut downs of any systems in order to prevent an attack or mitigate damages. 
  • CCPA and GDPR Endorsements: Broadens the definition of protected information to comply with regulations such as CCPA and GDPR
  • Affirmed BIPA Coverage: An endorsement providing (often sub-limited) coverage for BIPA claims.
  • Blanket Additional Insured Endorsements: Vendors and business partners are more commonly requesting to be named additional insured on cyber policies. This endorsement provides affirmative coverage on a blanket basis, where contracts contain such requirements.

  Avoid Problematic Exclusions: As mentioned above, cyber policies collectively contain upwards of 40 exclusions. While some of them are standard, others can be very problematic.

  • Broad Contractual Exclusions: Most policies will contain some form of a contractual exclusion, however in the context of cyber insurance, it’s important to ensure proper carvebacks are obtained, such as carvebacks for PCI claims, confidentialty agreements and unintentional violations of privacy policies (among others).
  • Overly broad war exclusions: Cyber policies often contain wat exclusions, however some are broader than others and could be problematic in the event of a breach. Lloyds of London notably amended their policy language late in 2023 with extremely broad language. Many cyber experts are concerned overly broad exclusions could preclude coverage for certain breaches, such as; situations where servers or networks are located in countries engaged in current conflicts, or those in which hackers claim a political motive or claim to be sponsored by a state sponsored group.
  • Widespread event exclusions: Carriers are increasingly beginning to attach widespread event exclusions or heavy sub-limits, which exclude or limit coverage in attacks where multiple parties are affected by a single attack or vulnerability. Each policy is also different in how they define “widespread event” with the most aggressive exclusions only requiring another outside system to be affected. These exclusions should be avoided when able, as such attacks are becoming more commonplace.
  • Unsupported (end of life) software: Exclusions precluding coverage for incidents that affect unsupported (outdated) software.
  • AI exclusions: Artificial intelligence exclusions are not yet commonplace, however they are beginning to emerge and can pose serious coverage issues, as discussed here. The biggest concern is; the exclusions of coverage for spoofing attacks which use AI to trick corporate officers into fraudulent wire transfers. Another concern however, is; many organizations may be using AI within their cyber security environment, should that AI fail to detect or respond to a threat, or should an organization be affected by an AI launched attack, such an exclusion could nullify coverage.

  Ensure Vendors are Approved: Cyber insurers will not consent to incur any costs until a claim has been tendered, and require that the insured utilize counsel and vendors approved by the insurer. In order to ensure costs incurred at the early stage of an investigation are in fact covered by the policy, it’s critical that the organization ensure its breach response plan aligns with its cyber policy’s terms. Any preferred counsel and forensic/IT vendors must be approved or added to the policy’s panel list.

  Assess the Policy’s Business Interruption and Extra Expense Limit: As business income damages continue to increase, some insurers have now begun to apply lower sub-limits to their policy’s business interruption coverage. As a result, policyholders should perform an extremely careful assessment of both the policy’s terms and any limits. It’s also equally critical to discuss the carrier’s claim reputation with any insurance broker or counsel, as some carriers have more of a reputation for disputing certain business income related expenses.

  Implement “Ancillary” Coverages: One of the most important “ancillary coverages” is D&O insurance, which provides protection against claims brought by shareholders, vendors, regulators, customers, and creditors following a cyber incident. Organizations should also consider crime insurance. While crime insurance provides for many non-cyber losses, such as employee fraud and theft of money on/off premises, in some cases, securing a crime policy alongside a cyber policy can help an organization achieve greater limits pertaining to e-crimes such as fraudulent transfers and social engineering losses.
   

  FAQ
   

  How Much Coverage Do I need? This is a difficult question to answer. As an example, a ransomware attack can take upwards of a month to recover from, so in setting an appropriate ransomware limit, an organization would need to anticipate what a ransom demand might look like (given demands against similar sized peers), what the resulting lost income and extra expenses could total, and factor in the additional costs such as forensics and data restoration. In terms of calculating an appropriate e-crime limit, policyholders should consider the average and maximum value of any given transfer to help develop a baseline limit. . There are a few breach calculators online that may be helpful published by Chubb, At-Bay, and Alexio (for healthcare institutions).

  How Much Does it Cost? Simple cyber endorsements for small and mid-sized companies can cost as little as $1,000 per year with broader stand-alone policies at $2,500 to $5,000 per year for a 1 Mill limit. Larger companies and those with greater risk profiles such as healthcare institutions may see premiums upwards of 20k per Mill.

  Do Breaches Affect Small Businesses? Yes, while statistics differ, it is estimated that anywhere from 50% to 90% of breaches affect the SME sector (small and mid-sized enterprises)

  We Don’t Store any Info, Do We Still Need Insurance? Yes, as we have outlined above, protected information is defined extremely broadly today and most companies process/store/transmit some form of protected data whether that be employee data or user/client data. Breaches also do not solely target networks or protected information, in fact, e-crimes such as social engineering and invoice manipulation are among the leading causes of loss.

  What Security Controls Do I Need to Have Implemented: When applying for coverage, most carriers will require the basics from even smaller companies including; fully encrypted data/emails, multi-factor authentication protections enabled, appropriate data backup controls, malware detection and possibly EDR (end point detection). Larger companies and those with a greater risk profile will of course encounter stricter requirements such as intrusion detection/prevention systems and data loss prevention systems.

  , basic_html
  More on this insight

• EPLI Insurance Guide

  Managing employees carries risk - behind every employment decision is a potential lawsuit. Prospective employees that are not hired may believe they were discriminated against, employees working long hours may believe they are not being properly compensated or promoted, and employees that are let go may be believe they were wrongfully terminated. EPL insurance (also known as employment practices liability insurance) provides coverage for defense costs, damages and claim expenses incurred resulting from employment related claims. It also provides a team of specialized attorneys that the organization can consult when making difficult employment decisions, in order to minimize the likelihood of a claim and any resulting damages. For directors looking to perform in depth policy reviews, we have published both a D&O Checklist and EPLI Checklist to assist with coverage assessments. 

  What Does EPLI Insurance Cover?

  As briefly mentioned above, employment related claims can arise from a broad range of accusations. Depending on the business and its industry, certain claims may be more prevalent than others as demonstrated below. 

  • FAILURE TO HIRE & FAILURE TO PROMOTE: While these claims can affect any business, “failure to make partner” claims are particularly prevalent against law firms, asserted by employees/attorneys, that, after dedicating years of long hours are denied partner status or promised promotions. 
  • WRONGFUL TERMINATION & BREACH OF EMPLOYMENT CONTRACT: The employment at will doctrine isn’t ironclad and eliminating the position after termination wont always prevent a claim. Employees that are fired may often assert breaches of good faith and/or fraudulent inducement (among others).
  • DISCRIMINATION & EEOC ACTIONS: Many companies are male dominated at the executive level and regularly seek younger candidates. Both of which can easily give rise to gender and age discrimination claims. Additionally, the EEOC provides a convenient (and cost effective) avenue to employees that believe they have been discriminated against. These claims are not solely limited to blatant race or gender discrimination. Activities such as: improper criminal background checks on applications and questions related to family medical history on job applications can also result in EEOC actions. 
  • WAGE & HOUR CLAIMS: Wage and hour claims are filed when employees believe that their employer has misclassified them as an exempt employee, they are working excessive hours, or believe they are not receiving appropriate pay/benefits. Wage and hour claims have grown significantly over the past few years. Even claims without merit can be costly to defend. 
  • SEXUAL HARASSMENT: Workplace sexual harassment can assert a myriad of accusations including improper comments, inappropriate advances, and unwelcome conduct. Industries which are male dominated with a younger workforce (such as technology companies and financial firms) are increasingly exposed to such claims. 
  • 3rd PARTY CLAIMS: Third party EPLI insurance is particularly important for businesses with a large client base and those that deal a lot with the public such as retailers, restaurants and commercial real estate owners. It provides protection against claims asserted by customers, vendors and other 3rd parties. These can range from violations of the ADA act (such as failing to provide wheelchair access) to accusations of sexual harassment to discrimination claims by clients alleging they were discriminated against or did not receive the same level of professional attention. Not all policies provide 3rd party coverage, which is why it is important to perform a careful assessment. 

  How Is EPLI Purchased? 

  • EPLI ENDORSEMENT: Adding an EPLI endorsement to an existing liability policy is one approach to purchasing coverage. This approach however does have its downsides. Often, coverage is sub-limited to a limit of 100k, 250k or 500k (inclusive of defense costs) which often does not provide enough coverage. Additionally, the coverage provided is usually relatively basic. For example, among other claims, these endorsements usually do not provide coverage for: wage and hour claims, claims asserting breaches of employment contracts, or 3rd party claims asserted by clients or vendors. While an endorsement may be acceptable for small businesses, organizations seeking broad coverage will want to avoid such endorsements.
  • D&O POLICY: Packaging EPL insurance through a D&O policy is generally the most common approach for many reasons. Most importantly, the coverage provided is broad.  Employment claims also account for a considerable percentage of claims asserted against private company directors and officers. Lastly, it eliminates the need to manage multiple policies and is cost efficient for what it provides.  
  • STAND ALONE POLICY: There are four main reasons companies may prefer to purchase a separate, stand-alone EPLI insurance: 1) companies interested in preserving their D&O limits solely for “true” D&O claims, 2) companies disinterested in D&O coverage and looking to obtain a more cost efficient EPLI policy without including D&O, and 3) companies that have sustained prior claims making it difficult to package with their D&O insurance, and 4) organizations seeking the broadest possible coverage with terms they can more easily negotiate. 

  Basic Terms Of EPLI Insurance

  • DUTY VS NON-DUTY TO DEFEND: The duty to defend is an important element within professional and management liability insurance policies. It effectively tenders the responsibility of the defense onto the insurance carrier, removing the burden from the insured. In addition it also provides a team of experts for consultation. Most companies will want to avoid purchasing any policies that are written on a non-duty to defend (duty to indemnify) basis.
  • DEFENSE COSTS: When setting policy limits, employment practice insurance policies can be written one of two ways: 1) with defense costs included in the limit, or 2) defense costs “outside” of the limit. Being that defense costs account for such a significant portion of the claim, this is an important area of critique. A policy with a 1 Mill limit which is inclusive of defense costs provides substantially less coverage than a policy with a 1 Mill limit which provides defense costs “outside”. Arguably, such a policy could be viewed as effectively maintaining a 2 Mill limit or higher.   
  • DEFINITION OF “EMPLOYEE”: As is the case with all professional and management liability insurance, all definitions must be reviewed carefully. Definitions of employees are however particularly important and should include: 1) partners, managers, LLC members 2) part time employees, interns and volunteers, 3) independent contractors and 4) prospective and prior employees. 
  • MISC EXCLUSIONS: While the above serves as a very general guide to some of the more important terms/exclusions contained within EPLI policies that are still man others that require assessment (and negotiation) such as exclusions for breaches of employment contracts and/or regulatory/EEOC actions.

  Recent Trends Increasing Employment Claims

  • Gender (and trans-gender) equality issues are posing new challenges for corporations 
  • Pay equity claims are sprouting up in certain states (such as NY and CA) alleging compensation disparities between races, genders, etc.
  • Genetic discrimination claims are on the rise.
  • The EEOC has been actively pursuing companies for improper use of criminal background checks on employment applications. 
  • Website ADA (americans with disabilities act) claims are on the rise brought by persons with disabilities asserting that they are unfairly being denied access to websites which do not provide proper audio/visual assistance. 
  • Mobile devices make it easier than ever for employees to record and document questionable workplace practices.
  • Social media is creating workplace challenges for companies who are basing employment/termination decisions on employees’ social media usage
  • DOL (Dept Of Labor) has been discussing the implementation of new overtime laws which would qualify previously exempt employees
  • Many industries, such as the tech and finance sectors actively seek younger persons, resulting in inadvertent potential age discrimination based claims. 

  FAQ

  • AREN’T EMPLOYMENT CLAIMS COVERED BY MY LIABILITY POLICY? Maybe. As we have referenced above, some policies do extend some coverage via a basic endorsement. However these endorsements generally only provide a basic level of coverage subject to usually low sub-limits which may not provide enough protection. 
  • HOW MUCH DOES EPLI COST? EPLI insurance premiums depend on a number of factors. The number of employees, and business industry are the most obvious rating factors. Generally speaking, a basic EPLI endorsement for a small company may cost as little as $300, while stand-alone policies and coverage purchased under D&O packages will often begin at $1,000. 
  • DOESN’T THE EMPLOYMENT AT WILL DOCTRINE PROTECT US? The short answer is no. Employment at will doctrines may protect companies from some wrongful termination claims but it does not eliminate the possibility of lawsuits entirely. Wrongful termination claims are also only a small portion of potential claims against directors & officers of a company. There are a myriad of others as highlighted above. 

  , full_html
  More on this insight