Insurance law for in-house teams: the need-to-knows

Michael Haynes: Hi everyone. If you've just joined us, you're in the right place. This is the Juro roundtable on insurance and what every in-house counsel should know. One of my favourite topics, insurance and what every in-house counsel should know. We've got three great guests with us today. I'll say hello first. I'm Michael Haynes. I'm Juro's general counsel, also part-time amateur webinar host. And that's my job today. What I'm going to do is pass over to each of our speakers in turn to introduce themselves and then we'll kind of get into it. So let's start with Rebecca.

Rebecca McKenzie: Hello, I'm Rebecca McKenzie. I am the Head of Legal at Codat. We make financial data APIs for use for small businesses. We're about 150 people and we have offices in London, New York, and Sydney.

Michael Haynes: Thanks, Rebecca. Over to Alysha.

Alysha: Hi, Alysha here. I am a fractional CFO and I have a few people that work with me and we primarily work with startups up to about series B when companies need to bring a CFO in full-time.

Michael Haynes: Last but not least, Liam.

Liam: Hello, I'm Liam, I'm COO and co-founder of Capsule. I've had the pleasure of being in insurance my whole career, previously scaled a more traditional breaking business through two rounds of private equity and a successful exit. And kind of in 2021, started Capsule, which is an insure tech for high-growth and venture-backed businesses. So kind of taking some of the thoughts and skills through scaling business previously and kind of put an insurance lens on that for other high-growth businesses.

Michael Haynes: Okay. So we're going to cover broadly three topics today: the nuts and bolts of insurance for startups, followed by looking at some risk management strategies, and then some audience Q&A at the end. If you want to submit a question, you can do so if you look down at the bottom right-hand corner of your screen, you'll see there's a questions tab. So if you find a burning question, do that in the tab. If we don't come to it in the discussion, we'll cover it at the end in the dedicated Q&A section.

Insurance law essentials

And without any further ado, then I think we'll get started. Let's talk a little bit about essentials when it comes to startups. And I think this is probably a question that is most fair to ambush Liam with to start with. But really, like, you're a lawyer kind of looking at your insurance program for the very first time. What sort of things do you need to think about when you're deciding how much coverage your business needs and what to get?

Liam: Yeah, so I think there's probably two parts to that question. One is, what insurance should you have to start with? And then what limits you should think about and kind of limits as you scale. We talk really regularly about the journey of a venture business and how different stages of that journey can mean different insurance requirements. In the early stages of formation of a business, you're often thinking about legal requirements.

So employers' liability being the main one as an employer of individuals and you're legally required to hold employers' liability. But then as you go through different stage gates of the business, for example, if you're going out to raise funding, then there'd normally be a requirement to hold directors' and officers' liability. Once you're starting to take on customers or generate revenue, there's normally professional indemnity, cyber liability requirements. So there's quite a few different stages as the business scales where insurance will go through the peaks and troughs of insurance becoming relevant at certain points. I'd say it's normally either employees, funding rounds, or customer requirements.

If we're almost past that early stage and the business is in that scale phase, kind of series A and beyond, and you have the minimum requirements that you need, it's then starting to turn that lens onto what levels of insurance you should hold. There's an element of that where you should think around the boards or the stakeholders' perception of risk in the business. So whether that's protecting directors' own personal liability through D&O. If you're scaling to the US, for example, then obviously there is an increased exposure there for directors of businesses that have US subsidiaries or US presence. But I think probably, and it's something that perhaps Rebecca could touch on, the biggest driver for that is contractual requirements. And as you start taking on more enterprise-type contracts, the more onerous they tend to get in terms of what limits they expect you to have around professional indemnity or cyber liability in particular.

Michael Haynes: Yeah, Rebecca, have you seen that in the kind of scaling journeys you've been on, where you suddenly land these blue whale customers and they're imposing these kinds of requirements?

Rebecca McKenzie: Yeah, so I'll be frank. We have various policies with various limits, and whenever I get a— you know, we have many tier-one banks as our clients who expect policy limits of X with them named as second insurers on the policies and XYZ. I have never had to go to our broker and ask for a higher limit. I've always managed to cross out what they've requested and replaced it with what I actually have and get it through whichever risk committee that they need to go to to get it accepted. So I don't think that necessarily it should be the driving force of your policy limits, but you've got to have something.

You can't cross it out and say, "Sorry, I don't have third-party cyber or professional indemnity." You've got to have something, maybe not quite to the limit that they've got in their standard docs. But yeah, I think probably having a more holistic view of what your liability caps are across your agreements for, I don't know, a security breach or whatever, is probably a better driver than what Mr. Big Bank is asking you in their standard MSA.

Choosing the right insurance for your stage

Michael Haynes: And do you ever find it works the other way around? Do you ever look and say, "Well, actually, I know what insurance limits I've got, and that's going to drive the way I look at liability in my sales contracts," for example?

Rebecca McKenzie: Yeah, to an extent, definitely. I think it depends on what the liability is in relation to. I think cyber is such a hot topic and people expect you to have such high limits. But if you're looking at a policy, is that a limit in aggregate? Is it per incident? And I think you probably get to the point where some of something like cyber has to be self-insured to a point as well.

Michael Haynes: Yeah, I certainly agree with that. One interesting thing, Liam, you mentioned was around the different stages of corporate life necessitating those changes in insurance coverage. Alysha, I guess this is something you see with your clients, right? Seeing them going through these fundraising stages. What are the things really that trigger a change there that you've seen, with your fractional CFO hat on?

Alysha: Yeah, because usually a founder wants us to come in post-fundraise and the business is usually excited. They've got all this money and they can start doing things and they tend to forget a little bit that often there are specific insurance requirements in the shareholder agreement. So that's usually the first thing we look at just to check where the conversation is. The two most common ones are D&O, so the level that they require may have increased, particularly if the fundraise is quite a big one and someone's got a board seat, they want to cover themselves. And the other common one that I see is key person risk. So it'll either be one or all of the founders. They just want to make sure that, particularly in series A where the business really does kind of rely on the founders' skills and ability, probably less so in later rounds. And so they really want to just cover that risk as well. So they're the two most common ones I've seen.

Michael Haynes: And Rebecca mentioned this idea of self-insuring as well. Are there other strategies that you've seen, Alysha, that businesses can deploy to mitigate the need to ever rely on their insurance? Because insurance is there as a great safety net, but no business wants to be the one that's constantly claiming on its policies.

Alysha: Yeah, absolutely. So it's probably good to challenge the business, perhaps not two weeks before your insurance is needed to be renewed, but much further afield. There's loads of controls that can be put in place within operations so that you're not relying on insurance because insurance should really be plan B, it shouldn't be plan A. So typical areas to think about would be tech security, business interruption plans, key supplier risks, and then HR policies and procedures to cover yourself for any employment-related insurance claims. So they're probably the main areas. It's good to challenge the company to tighten those up first.

Liam: I'd certainly second that. It seems odd as an insurance broker to sit here and take this stance sometimes, but I'd always be an advocate for saying that actually the controls within the business should be almost at its tightest before you're thinking about insurance. Particularly when you're thinking of something like cyber liability. Actually, most cyber liability policies will have almost minimum requirements that you're expected to meet before a policy would ever pay out. So if you have a business that's thinking, "We just need to get insurance and that's all of our problems solved," it's not normally the right attitude to have. I'd always say that it should be a safety net rather than something that's used to prevent basically.

The role of insurance brokers

Michael Haynes: I think that's a really interesting point. It's kind of where the risk functions like legal and finance come into their own. They're the guardians of those kinds of things that give you a credible appearance to insurance when you get there. One question we got a lot actually, I think I said this in the webinar, was about professional indemnity insurance. There's a lot of confusion in the market around when that kind of cover is necessary. Liam, when should we really be starting to think about that as a thing? I'm thinking in the context of lots of the businesses we've got represented on this webinar, right? They're kind of like pure software businesses, not necessarily doing managed services, that kind of stuff. When should they really be thinking about PI?

Liam: In its most basic form, when you're providing services for a fee, you could be held liable by a third party for financial loss. If a customer could claim financial loss or damages from the failure of your services, the errors in your advice, the failure in your technology even, that is basically what professional indemnity covers. And so, in the strictest sense, that's when you should think about PI insurance.

I think probably, as we've talked about a little bit earlier, the time when that gets scrutiny is either when you're formalizing your first contract or taking on an enterprise deal or going through an investment round and there's some light insurance DD that's done on the business. That's the point when founders tend to sit up and take notice. But I think certainly in our experience, any business even from that journey of seed round right through, I'd say for a technology business, they should have it almost from day one. And that's the more common scenario that we see now anyway.

Michael Haynes: Got it. So it's not one of those things that's just for professional service providers. It's like, no, think about the type of loss that you might cause your customer, even if it's not obviously one of those types of services. I think we've talked a little bit about the types of insurance that scale-ups and startups should definitely have, in the long list of things from employers' liability, D&O, PI, and cyber. What about international stuff? It's particularly easy these days to develop an international footprint as a business. What's your experience there, Liam, in when businesses should start thinking about coverage beyond the confines of their own country?

Liam: Yeah, it's one of those funny, unique challenges from an insurance perspective that I guess a technology business can be truly global from day one. There's quite often a common journey that a business will go on when expanding internationally, which means there's different insurance requirements along the way.

This is an excerpt from the full transcript. To watch the webinar in full, click the preview at the top of this page.