1. Get an Insurance Broker dealing in business and conversant with technology (not your homeowner insurance agent) who can explain what’s covered and what’s not covered.
2. CGL—You’ll need Commercial General Liability. However, don’t rely on CGL insurance alone. Yes, it’s the most basic insurance that protects a business from claims due to injuries, accidents and negligence. However, some CGL policies will not cover liabilities assumed under a contract if there is no personal injury or property damage involved. So, if you agreed to indemnify the other side, CGL may or may not help. Find out up front whether breach of contract claims can be covered by any insurance.
3. Cyberinsurance—Data Breach Protection. Your contracts need to be clear as to who bears the risk of a data breach. If you are the tech company, likely you will bear some or all of that risk. Get cyberinsurance. Get coverage for state breach notification laws, breach response and consumer data breach lawsuits. Big Co will likely want written confirmation of coverage for these items.
4. Tech E&O—Technology Errors & Omission insurance provides coverage for alleged negligence in technology services, e.g. data hosting, data processing, computer systems analysis, network management systems. Because bodily injury and property damage may be less likely than negligence claims, tech E & O coverage may be as useful or more so than CGL. Get both. Check to see if your contractors are covered under your Tech E&O and if liability assumed under an indemnification clause is covered.
5. Standalone IP policy. Cyberinsurance does not cover any actual or alleged infringement, theft, use, misappropriation or disclosure of a patent or trade secret (it might cover infringement of copyrights and trademarks). You’ll likely need a standalone policy for patent infringement or misappropriation of trade secrets.
6. Adding additional insureds on policy. Tech companies are being asked to add their clients and vendors as additional insured on their liability policies. Some policies will allow you to do so through a blanket endorsement, some will not. Insurance companies may balk at adding an additional insured or require further underwriting (that means more time and money) to add that additional insured to the policy.
7. Amount of Insurance. It’s a business judgment based on your risk profile and amount of risk posed by a transaction. Typically, 1 million in coverage per type of policy is the bare minimum for startups—your premiums depend on the type of business, history, and deductible amount for starters. What can you afford? What amount does your customer typically ask for and what amount will they agree to (ask as some companies will negotiate)?
8. Exclusions. You’re paying for risks to be covered. For example, in a cybersecurity policy Is cyber terrorism covered? A hacktivist group may be classified by the U.S government as a terrorist and possibly excluded. What types of data are excluded, e. g, data in the cloud, paper records? You get the idea—insurance companies may either provide an exhaustive list of exclusions and/or vague, general descriptions in the policy to deny coverage.
9. Defense and Third Party Costs. Is the cost of defense included within the amount of the policy limit or not? What third party costs will the policy cover, e.g. forensic investigators, customer notification, credit monitoring, etc.?
10. Claim Paying and Claim Handling. Tech insurance is only as good as the items it covers and the help it provides in handling and defending and paying claims. Evaluate and verify the insurance company’s record on claim payments and handling. Use a broker with cyberinsurance experience who can substantiate the insurance company’s track record.