Structuring Insurance For FinTech and RegTech Companies
At its most basic, a typical Fintech/Regtech insurance program should include a blend of E&O, cyber insurance and crime insurance. Since the E&O and cyber exposures are so closely related, they are often best placed with a single carrier when possible. When engaging in contract negotiations with banks and other partnered institutions, most compliance requests will require minimum limits of 3 Mill to 5 Mill across each line of coverage and can often increase from there. For that reason, when approaching carriers, we often recommend engaging in a dialogue with the insurers in order to gauge their level of comfort with higher limits if /when requests for increased limits arise. Startups and smaller companies may encounter some resistance from the carriers, particularly when the organizations’ assets are smaller. When carriers are unwilling to increase the policy(s) limit, companies may be able to structure coverage by purchasing layers of excess insurance from multiple insurers.
Executive liability insurance serves an equally important role. There are a few specific risk factors highlighting the importance of D&O for Fintech companies:
- Operating without D&O can make it difficult to appoint experienced directors or officers, as most seasoned executives will refuse to sit on uninsured boards.
- Operating in a fairly active M&A space means many Fintech companies will undergo a merger/acquisition at some point, which can result in merger objection and other postmerger claims.
- The failure rate among startups is notoriously high, which means early and mid stage fintech companies are particularly exposed to claims brought by creditors and other insolvencyrelated risks.
- Fintech/Regtech companies often require a considerable amount equity. As the number of investors/shareholders increases, so does the risk of shareholder litigation. D&O insurance is also a common requirement on VC/PE term sheets.
- Operating in a highly regulated sector with oversight from multiple regulatory bodies can pose compliance challenges resulting in an increased risk of regulatory enforcement actions.
- Claims against Fintech companies can be unpredictable. A private D&O policy form can often act as a “catch all” providing coverage for miscellaneous claims not covered elsewhere.
Companies that have proprietary, patented products or technology should also consider incorporating IP insurance within their portfolio. While patents are a logical first step in protecting your IP, the protection provided is often only as strong as the ability to pursue potential infringers. When those infringers are larger companies with deeper pockets and experienced counsel, enforcing your IP can become extremely costly. IP abatement insurance policies effectively provide a legal fund to litigate against such infringers, further protecting your patents. Conversely, IP defense policies provide coverage to defend against any allegations that your products/services are infringing on others’. Depending on the type of policy, premiums generally being around 20-30k for a 1 Mill limit and increase from there based on the limits being purchased and amount of IP being protected.
ASSESSING POLICY TERMS
Insurance policy forms are known to differ from carrier to carrier, however that variation is even greater when it comes to Fintech risks. Prior to placing coverage executives should perform a careful assessment alongside their broker, to ensure the policies’ terms and conditions align with the company’s risk profile. Among the terms that should be reviewed include:
- Definition of Professional Services: A properly structured E&O policy should appropriately cover all financial services provided, technology and software failures, and any consulting services or other services that might be provided by the organization. Conversely, when assessing D&O insurance, overly broad “professional service exclusions” should be carefully tailored. Given that nearly all claims will be “arising from, or related to” the providing of professional services, broad exclusions can act as a blanket exclusion of sorts and should be softened as much as possible.
- Coverage for Vendors and Contractors: Does the E&O/Cyber policy include coverage for wrongful acts committed by independent contractors, outsourced business providers and other 3rd parties? Is coverage included for lost income resulting from an intrusion that cripples a dependent 3rd party? This is particularly important when services are being outsourced. The company should also be diligent in obtaining certificates of insurance evidencing the insurance maintained by any outside providers.
- Cyber Enhancements: Cyber risks are evolving at a rapid pace, and insurers are regularly enhancing their policy forms in order to respond. Some of the more modern enhancements include CCPA/GDPR endorsements, coverage for “crypto jacking” and “bricking”, system failure coverage, utility fraud coverage, and reputational loss protection (among others). Any cyber policy being considered should be inclusive of these endorsements.
- Scope of Ransomware Coverage: As the frequency and severity of ransomware attacks continue to increase, a growing number of carriers are beginning to sublimit their ransomware coverage, sometimes significantly. Since these attacks can inflict considerable financial damage, fintech companies should carefully review their cyber policies to ensure its policy limits are adequate and implement robust policies and procedures regarding backups and business continuity plans.
- Scope of Regulatory Coverage: Given that the majority of claims brought against RegTech companies will likely result from compliance failures and may involve regulatory enforcement actions (against its clients), it’s critical to avoid any explicit regulatory exclusions. Even in absence of explicit exclusions coverage can still be excluded for regulatory actions brought directly against the company and its executives, further underscoring the importance of a careful assessment. We recently published a helpful guide here, but at it’s most basic level, executives should understand; 1) the degree of coverage for investigations, 2) scope of coverage afforded to the entity (vs the insured persons), and 3) when coverage is triggered.
- Problematic Exclusions: Fintech companies differ as much as the policies that insure them, which highlights the importance of carefully reviewing the E&O policy’s terms, paying particular attention to any problematic exclusions specific to the services being offered. For example, companies engaged in AML/KYC compliance or consulting on any securities laws will need to carefully address any securities exclusions that may preclude coverage for any claims “based upon or arising out of any” violation of any securities laws. Additionally almost all policies also contain exclusions for claims involving RICO (and similar laws) which can be equally problematic. Conversely, companies engaged in cyber/privacy compliance have their own set of problematic exclusions such as those pertaining to “unauthorized collection or use of data” and broad bodily injury exclusions which will often preclude coverage for privacy related claims.
- Foreign Risks: Are foreign risks accounted for? Do the policies provide true worldwide coverage, for claims brought outside the US? Do the policies contain important foreign enhancements such as coverage for GDPR violations?
COVERAGE PLACEMENT ADVICE
Despite common misconception, the insurance market for Fintech companies is relatively small. Given the limited carriers providing terms and the difficulty some companies can encounter when going to market, there are some steps executives can take in order to ease the process and maximize terms and pricing.
- Optimize The Timing Of Your Application: When securing insurance proposals, timing is particularly important; applying too early will likely result in nothing but declinations, however applying too late may delay contract negotiations with partners, or worse, may leave the company open to litigation. For startups, the first requests for proof of insurance will likely come from outside partners (such as financial institutions) this may be months before you plan on launching your product. However when applying for insurance, it’s imperative that the organization is able to provide critical underwriting information such as; financials and/or financial projections, detailed business plans, organizational charts, executive bios, investor presentations, sample client contracts, and timelines for product releases.
- Provide Clarity: In certain cases, Fintech companies may pursue separate insurance for just a single subsidiary or product. In cases such as these, it’s critical to provide an organizational chart clarifying the organization, its ownership, and exactly what needs to be insured, and the application should reflect just that exposure. When providing business plans, we have also seen some Fintech companies include very long term projections including additional services that they hope to include in 35 years time. When providing such projections, it’s extremely important to clarify *when* such products or services will be available. Including services that will ultimately be offered 3 years out (and failing to mention that to the insurers) will only result in the underwriters erroneously underwriting future risks, which can adversely impact the underwriting process and associated premiums.
- Set Realistic Premium Expectations: While policy premiums are greatly dependent on the actual services being provided, insurance for fintech companies is not inexpensive. We’ve seen E&O/Cyber premiums range from 20k per Mill to 70k per Mill for companies engaged in higher risk activities (such as companies engaged in lending and/or lines of credit). Companies seeking D&O for an associated coin/token offering will encounter even greater premiums with pricing often beginning at 100k for a 1 Mill policy, with large retentions and often restrictive terms (including regulatory exclusions among others).
- Start the Process Early: Given the diversity among Fintech and Regtech companies, securing insurance can often be a lengthy process underwriters will often require additional information and conference calls in order to get a better understanding of the company and its operations. We generally advise beginning the application process 4-6 weeks in advance.
- Develop a US Presence: Foreign Fintech companies will likely encounter aggressive US exclusions when placing insurance in their domiciled countries. With US claims being excluded, most companies will be forced to place separate insurance in the US. However Fintech companies with no US entity or local offices will encounter considerable resistance from the insurance carriers, often limited solely to the Lloyds markets when attempting to secure insurance. Establishing a US corporation and/or a small satellite administrative office in the US will help open the markets. Alternatively, such companies can also explore the option of a separately placed foreign liability policy (or appropriate endorsements) placed out of their domiciled country.