RegTech and FinTech Insurance Coverage Guide
Companies operating in the Fintech space are exposed to a wide range of risk and litigation. The mix of professional/financial services, tech platforms, proprietary software & algorithms, considerable capital required to fund operations, and cyber security challenges create a complex risk environment, requiring a carefully structured insurance program. For Fintech companies currently seeking proposals, we have a helpful guide here, that discusses tips and considerations when going to market. At its most basic, a typical Fintech/Regtech insurance program should include a blend of the following:
CYBER AND E&O INSURANCE: With most Fintech companies providing a broad range of services, a properly structured E&O policy should appropriately cover claims related to both tech/software failures (such as automated processing or algorithm failures) as well as financial service failures (such as failures in processing loans, extending credit, etc). Additionally, many companies may need a coverage extension for miscellaneous errors & omissions in order to cover ancillary services such as consulting or auditing services. Since the E&O and cyber exposures are so closely related, they are often best placed with a single carrier when possible. When negotiating contracts with banks and other partnered institutions, most compliance requests will require minimum limits of 3 Mill to 5 Mill across each line of coverage and can often increase from there. For that reason, we often recommend engaging in a dialogue with the insurers in order to gauge their level of comfort with higher limits if and when requests for increased limits arise. Startups and smaller companies may encounter some resistance from the carriers, particularly when the organizations’ assets are on the smaller side. In situations where carriers are unwilling to increase the policy(s) limit, companies may be able to structure coverage by purchasing layers of excess insurance from multiple insurers. Among other terms and conditions, when assessing E&O and cyber coverage, policyholders should pay particular attention to the following:
- Coverage for Vendors and Contractors: Many Fintech companies understandably outsource services and/or utilize independent contractors, which is why it’s critical to understand the extent to which the E&O/Cyber policies include coverage for claims involving 3rd parties. For example, are wrongful acts committed by independent contractors covered? Is coverage included for lost income resulting from an intrusion that cripples a dependent 3rd party? In addition to assessing policy terms, the company should also be diligent in obtaining certificates of insurance evidencing the insurance maintained by any outside providers.
- Prior Acts Coverage: Most policies can provide coverage for prior acts, however in some cases, the carriers will only agree to coverage on a “going forward” basis, meaning, only wrongful acts alleged to have been committed after the policy issuance date would be covered. These prior acts exclusions are particularly problematic for companies that have been providing services prior to applying for coverage, as any litigation that may arise from past acts or errors would effectively be uninsured.
- Cyber Enhancements: Cyber risks are evolving at a rapid pace, and insurers are regularly enhancing their policy forms in order to respond. Some of the more modern enhancements include CCPA/GDPR endorsements, coverage for “crypto jacking” and “bricking”, system failure & disruption coverage, service failure and disruption coverage, utility fraud coverage, and reputational loss protection (among others). Any cyber policy being considered should be inclusive of these endorsements.
- Coverage for PCI Fines: Almost all Fintech companies store, process or transmit cardholder data, subjecting them to strict PCI compliance requirements. Some estimates however state that only 25-35% of organizations are fully PCI compliant. When breaches and failures occur, the resulting fines can be costly, with estimates ranging from $5,000 to $100,000 per month until the organization rectifies the failures. When securing cyber insurance, all Fintech companies should ensure their policies provide affirmative coverage for PCI fines. Coverage should also extend to wrongful acts committed by rogue employees and outsourced providers.
- Coverage For Business Email Compromise / Funds Transfer Fraud: The FBI’s 2020 Internet Crime Report demonstrates the severity of damage inflicted by business email compromise crimes. In 2020 they resulted in losses of $1.8 Billion with 19,000 reported victims, which averages to ~ $100,000 per crime, however losses can easily exceed that figure. Most insurers can extend coverage for business email compromise and funds transfer fraud, however it’s a nuanced coverage and the devil is in the details. There have been numerous cases adjudicating whether the losses for such claims were in fact “directly” caused by the crime (as required by most crime policies), and whether the social engineering aspect of the crime itself voids coverage (by voluntarily parting with the funds). Accordingly, policyholders should perform a careful assessment of the policy’s terms, ensuring coverage is as broad as possible.
- Scope of Ransomware Coverage: As the frequency and severity of ransomware attacks continue to increase, a growing number of carriers are beginning to sublimit their ransomware coverage, sometimes significantly. Since these attacks are becoming more frequent and more damaging, Fintech companies should implement robust policies and procedures regarding backups and business continuity plans, and carefully review their cyber policies for limit adequacy. Should the cyber policy contain a “war exclusion”, executives should attempt to negotiate its removal, or, at the very least, have the language modified so that the carrier “excepts” cyber terrorism and acts committed by government actors.
- Problematic Exclusions: When reviewing policy terms, organizations should pay particular attention to any problematic exclusions specific to the services being offered. For example, companies engaged in AML/KYC compliance solutions or consulting on any securities laws will need to carefully address any securities exclusions that may preclude coverage for any claims “based upon or arising out of any” violation of any securities laws. Additionally, almost all policies also contain exclusions for claims involving RICO (and similar laws) which can be equally problematic for companies providing compliance services, as such exclusions may have the ability to extend to AML/KYC laws. Conversely, companies engaged in cyber/privacy compliance have their own set of problematic exclusions such as those pertaining to “unauthorized collection or use of data” and broad bodily injury exclusions which will often preclude coverage for privacy related claims. Any problematic exclusions should be addressed and softened as much as possible, by narrowing the preamble wording, carving back defense costs, and/or amending the exclusion with clarifying language.
CRIME INSURANCE: Crime insurance policies contain a wide range of available insuring agreements and can really be structured a-la-carte based on the organizations needs and concerns. These insuring agreements can range from theft of cash, to check and payment card forgery, to more complex fraud such as funds transfer fraud and theft that results in losses to clients’ property. By and large, the majority of the risks encountered by Fintech companies will fall under the “Tech Fraud” insuring agreements which provide coverage for losses such as erroneous transfers, funds transfer fraud, computer theft, and customer account coverage. When structuring coverage, Fintech executives should assess their operations and set limits for each insuring agreement of interest, based on their actual exposures. Since crime insurance can also be endorsed onto a wide range of policies, companies and their directors should carefully review the entire insurance program to ensure that coverage is not already being extended from any commercial package, cyber and/or management liability policies resulting in duplicate coverage.
- Coverage Triggers: Crime policies can be written with one of 2 coverage triggers. “Loss sustained” policies provide coverage based on when the loss was actually sustained. “Loss Discovered” policies on the other hand are triggered when the loss is actually discovered. Given that certain frauds often take a considerable amount of time to discover, policyholders should ensure that crime policies are written with an appropriate “loss discovered” trigger.
- Coverage for Independent Contractors: We already mentioned the importance of E&O and cyber policies to provide coverage for acts committed by (and breaches affecting) independent contractors, and the same holds true for crime policies. With employee theft/fraud posing a considerable risk to all financial institutions, it’s critical that crime insurance policies recognize independent contractors as employees.
- Limit Adequacy: The first catalyst for placing crime insurance is often a compliance request from a vendor or client requiring coverage, however these requests often fail to address the actual exposures. All too often Fintech companies receive a request requiring a specific limit for crime insurance, secure the stated amount, and give little consideration to the actual coverage being provided. It’s treated more as a check-the-box solution as opposed to an address-the-risk solution. A compliance request requiring 3 Mill in crime insurance could technically be met by purchasing 3 Mill in employee theft coverage alone, providing no coverage for more damaging risks such as funds transfer fraud or losses affecting customer accounts, which is why policyholders should carefully review all limits and sub-limits for adequacy.
D&O (DIRECTORS & OFFICERS) INSURANCE: A common requirement on VC/PE term sheets; D&O insurance provides protection for claims against the company and its directors, brought by shareholders, regulators, creditors, employees, competitors and vendors. Despite any VC/PE funding or other insurance requirements, there are a number of reasons Fintech companies should consider implementing D&O within their insurance programs. For one, it can help the company build an experienced executive team. In the interest of protecting their personal assets, most seasoned executives will refuse to sit on uninsured boards, making it difficult for companies to attract or retain qualified directors and officers absent such insurance. Secondly, Fintech/Regtech companies often require a considerable amount of equity, and as the number of investors/shareholders increases, so does the risk of shareholder litigation. Additionally, the failure rate among many startups and tech companies is notoriously high, which means the executives of early and mid-stage fintech companies are particularly exposed to insolvency related risks such as claims brought by creditors. The sector itself is also subject to considerable oversight from multiple regulatory bodies and constantly changing regulations which can pose compliance challenges, resulting in an increased risk of regulatory enforcement actions. Operating in a fairly active M&A space also means many Fintech companies may also undergo a merger/acquisition at some point, which can result in merger objection and other post-merger claims. Lastly, claims against Fintech companies can be unpredictable and private company D&O policy forms can often act as a "catch all" providing the entity with broad coverage for miscellaneous claims not covered elsewhere. Among other terms and conditions, when assessing policy terms, policyholders should pay particular attention to the following:
- Scope of Regulatory Coverage: Given that the majority of claims brought against RegTech companies will likely result from compliance failures and may involve regulatory enforcement actions (against its clients), it’s critical to avoid any explicit regulatory exclusions. Even in absence of explicit exclusions, coverage can still be excluded for regulatory actions brought directly against the fintech company and its executives, further underscoring the importance of a careful assessment. We recently published a helpful guide here, but at its most basic level, executives should understand; 1) the degree of coverage for both formal and informal investigations, 2) the scope of coverage afforded to the entity and the insured persons, and 3) when coverage is triggered.
- Contractual and Professional Services Exclusions: Overly broad contractual and “professional service” exclusions should be carefully tailored. Given that nearly all claims will be “arising from, or related to” contracts for professional services, broad exclusions can act as blanket exclusions of sorts and should be softened as much as possible.
- IP Exclusions: It’s understandable that D&O insurers apply an IP exclusion as D&O is not intended to cover IP litigation (as such claims are best covered by an appropriate IP policy). An acceptable IP exclusion however should simply preclude coverage “for” any actual or alleged infringements. Some insurers may go one step further and exclude claims “based upon, arising from or related to” any such infringements. These overly broad versions have the potential to preclude coverage for any resulting shareholder litigation or derivative actions stemming from an IP dispute. In order to ensure such coverage is maintained, executives should avoid any overly broad versions, softening them as much as possible while ensuring that any resulting shareholder litigation is covered along with coverage for claims brought against insured persons.
- False Advertising and Unfair Competition Exclusions: Fintech companies are also particularly susceptible to False Advertising claims. Advertising “24/7” access to funds, “no hidden fees”, or robust cyber security, and failing to live up these services can quickly result in litigation and/or regulatory enforcement actions. Many D&O policies contain explicit exclusions for claims related to false advertising and unfair trade practices, however there are carriers in the marketplace without such exclusions. Even when these cannot be bypassed, policyholders can often soften the exclusions to carve back defense costs, claims brought by shareholders and/or nonindemnifiable claims against the executives.
- Privacy/Cyber Exclusions: Nearly all D&O policies maintain bodily injury exclusions which extend to exclude claims alleging “invasion of privacy”. Some may go one step further and preclude coverage for “unauthorized collection of data”, or may maintain an even broader cyber specific exclusion. While typical cyber claims would be picked up by the organization’s E&O/Cyber policy, these exclusions still need to be addressed in order to ensure they are not over reaching.
IP & PATENT INSURANCE: Companies that have proprietary, patented products or technology should also consider incorporating IP insurance within their portfolio. While patents are a logical first step in protecting your IP, the protection provided is often only as strong as the ability to pursue potential infringers. When those infringers are larger companies with deep pockets and experienced counsel, enforcing your IP can become extremely costly. IP abatement insurance policies effectively provide a legal fund to litigate against such infringers, further protecting your patents. Conversely, IP defense policies provide coverage to defend against any allegations that your products/services are infringing on others’. Depending on the type of policy, premiums generally being around 20-30k for a 1 Mill limit and increase from there based on the limits being purchased and amount of IP being protected. There is also generally a one time search fee required in order to underwrite the patents. Among other terms and conditions, when assessing coverage, policyholders should pay particular attention to the following:
- Is IP Properly Scheduled: Policyholders may assume all of their patents are automatically protected by an IP policy, however these policies generally include a schedule of the specific patents/products being insured. It’s extremely important that policyholders carefully review the schedule in order to ensure the policy aligns with the company’s intentions and is in fact covering all intended patents.
- Trademarks and Copyright Coverage: Most patent insurance policies can extend to include coverage for trademark and copyright infringement as well, but such coverage will need to be requested when applying for coverage.
- Patent Troll Coverage: Companies can incur significant costs in having to defend against patent “trolls”. According to RPX Insurance, 60% of these claims target smaller companies (with revenues under 100 Mill), and the average cost to resolve these suits is $200,000, with some cases going as high as $2 Million. Litigation brought by patent trolls, alleging your non-core products are infringing on their patents is often excluded by the majority of IP policies, unless a specific troll defense rider is added via endorsement.
- Multi-Peril Endorsement: Losing patent litigation can be devastating. In addition to the costs incurred in defending against such claims, the loss of the patent itself can result in lost business income, and numerous miscellaneous costs such as redesign and remediation costs. Multi-peril riders can often be added to patent insurance policies for a minimal premium in order to protect against such damages if/when your patent becomes invalidated.