-
Guides & Whitepapers
-
D&O Insurance Guide
Directors & Officers Liability insurance (also referred to as D and O insurance) is a complex, often misunderstood insurance product. However it is also a critical coverage for many organizations, both small and large alike. Below, we have put together a brief guide in order to help companies and their directors better understand the intricacies of (and value provided by) these highly specialized policies. For directors looking to perform in depth policy reviews, we have published both a D&O Checklist and EPLI Checklist to assist with coverage assessments.
What Is D&O Insurance?
In its most simple terms, D&O can be viewed as errors and omissions coverage for board-members. It provides defense costs (attorneys fees), damages and settlements, for mistakes and accusations made against executives for their business decisions. Policies are comprised of a number of basic insuring agreements and coverage components:
- SIDE A (DIRECT COVERAGE): Also referred to as executive insurance, this insuring agreement provides direct coverage to the directors and officers when the company cannot indemnify them, either due to insolvency or due to laws barring indemnification such as during a derivative claim.
- SIDE B (CORPORATE REIMBURSEMENT): Provides balance sheet protection by reimbursing the corporation after it indemnifies its directors or officers for a claim.
- SIDE C (ENTITY COVERAGE): Coverage for claims asserted against the entity itself. While Public company D&O coverage restrict such claims solely to securities claims, private company D&O insurance provides broad coverage for claims made against the entity.
- EPLI (OPTIONAL): Employment practice liability insurance provides protection against employment related claims which account for a significant percentage of claims made against private companies and non profits. These claims include wrongful termination, failure to promote, sexual harassment, and others.
- CRIME INSURANCE (OPTIONAL): Crime insurance provides reimbursement to the entity for losses it sustains resulting from employee fraud, executive theft, theft of funds, and more.
- FIDUCIARY INSURANCE (OPTIONAL): Protection for executives and plan administrators against claims asserting mis-management and mistakes made while administering employee benefit plans.
- CYBER SECURITY INSURANCE (PURCHASED SEPARATELY): Provides coverage for cyber liability arising form data breaches and intrusions. Also included is coverage for notification costs, regulatory defense and fines (including PCI fines), lost income resulting form network interruption or loss of website services, ransomeware demand reimbursement and more.
How Is D&O Coverage Purchased?
Directors and officers liability insurance can be structured to the interests of each organization depending on their risk profile and coverage needs. These coverage options require companies to make important decisions when structuring coverages. Some of those considerations include:
- PACKAGED VS STAND ALONE: D&O can be purchased as a stand-alone policy, with no additional components or packaged with EPLI, crime and/or fiduciary insurance. When packaging coverages, policies can assign one blanket limit to all coverages, or assign each coverage its own dedicated limit. While dedicated limits will result in higher premiums it also provides better coverage by appropriately isolating each coverage.
- ONE SIDE OR ALL SIDE: Directors and officers insurance can be purchased for Side A, B and C (which is the most common approach) or for Side-A only claims with the entity opting for no corporate reimbursement or entity coverage. While side-A only policies may provide broader direct coverage for the officers at a slightly lower premium, this can be a risky approach, as the majority of claims fall under Side B and Side C coverage.
- EXCESS & SIDE A DIC COVERAGE: In order to increase policy limits and/or broaden coverage, additional policies can be placed “on top” of underlying policies, similar to an umbrella. These policies can be 1) follow form, with the same terms and definitions (intended to simply increase limits), or 2) “difference in condition” in order to provide broader coverage then the underlying policy.
- SPECIAL COVERAGES: In addition to the above policies, companies with specific concerns may opt to seek additional specialty coverages such as employed lawyers insurance, IDL (independent director liability) coverage, investigation coverage or reputational insurance.
Directors and officers insurance policies are mazes of terms, conditions and definitions that require careful review. Policy audits should be performed in order to ensure that its definitions sufficiently align with 1) other policies such as any E&O or cyber insurance policies, 2) appointed directors/officers as defined in the corporate charter, 3) additional entities including any domestic and foreign subsidiaries. It should be noted that, performing a foreign audit and coordinating proper coverage for foreign entities can be a delicate balance requiring careful attention. Often the placement of separate foreign coverage is recommended.
What Types Of Claims Are Covered?
- Customers can file claims related to contractual disputes, false advertising, misleading product information and privacy violations (related to debt collection practices and marketing).
- Suppliers can file suits for damages suffered by failed promises of increased orders.
- Competitors can assert claims asserting negligent business interference, false advertising, or claims asserting employee poaching to obtain trade secrets.
- Creditors and bankruptcy trustees can file claims in an effort to recoup losses asserting breaches of fiduciary duties and/or misrepresentations made when applying for credit.
- Shareholders and investors can assert fraudulent inducement, misrepresentations made in private placements and/or breaches of fiduciary duties.
- Employees can file false claims act claims, or, more commonly, employment related claims such as individual suits or class actions asserting sexual harassment or wrongful termination and/or violations of wage and hour laws.
- Regulators and government agencies can bring investigations and enforcement actions for numerous violations such as FTC actions for consumer protection laws and SEC or DOJ investigations for violations of the FCPA act. In addition to any resulting fines and penalties, the costs to comply with investigations alone can be significant.
What Does D & O Insurance Exclude?
While exclusions can vary significantly from carrier to carrier, most policies contain exclusions for the following claims (among others)
- INSURED VS INSURED: In order to eliminate coverage for infighting, claims brought or maintained by one insured against another are excluded. These exclusions require careful review in order to ensure that coverage is maintained for derivative claims, claims brought by bankruptcy trustees, and claims maintained by whistleblowers.
- PRIOR ACTS / RETRO-ACTIVE DATE: Being that coverage is written on a claims made policy form, it is important to understand how such coverage operates. In short, claims arising from wrongful acts that occurred prior to the retroactive date (or issuing of the policy) are excluded, unless coverage is included for “full prior acts”.
- PROFESSIONAL SERVICES: Claims related to, or arising from the errors, omissions and negligence while providing professional services. Coverage for such claims is more appropriately placed through an E&O policy. Careful review should be given to this exclusion, as overly broad wording has the potential to eliminate coverage entirely.
- CONTRACTUAL EXCLUSION: Claims arising from any oral or written contracts.
- CYBER SECURITY EXCLUSIONS: D&O policies contain many exclusions which can limit or negate coverage for cyber related claims.
- FRAUD, DISHONESTY & ILLEGAL PERSONAL PROFIT: Intentionally fraudulent acts committed by executives, and claims alleging illegal personal profit are always excluded. However well crafted severability exclusions will maintain coverage for “innocent insureds” that were unaware of such fraud.
- INFORMAL INVESTIGATIONS: While coverage may be included for informal regulatory/administrative investigations naming individual directors or officers, informal investigations against the entity itself are almost always excluded.
- EMPLOYED GC: While some policies may in fact include in-house counsel as a named insured, policy terms and conditions often severely restrict the adequacy of such coverage. Companies interested in purchasing proper coverage for their GC’s should purchase separate employed-lawyers insurance.
- "OTHER COVERAGE" EXCLUSIONS: Claims that are intended to be covered elsewhere are always excluded by a D&O policy, this includes: bodily injury claims that should be covered under a general liability policy, cyber related claims, and professional service related claims that should be appropriately covered by a separate E&O policy.
Who Should Purchase Directors and Officers Insurance?
Any company that has investors or manages employees or products has a liability exposure. And just about every company can benefit from a D&O policy. Some companies however operate in a particularly high risk environment compounding the need for directors and officers liability, such as:
- Public companies including micro cap or nano cap companies and those trading OTC
- Financial institutions including hedge funds, investment advisors, venture capital and private equity firms.
- Non-profits
- Mid sized private companies
- Companies seeking funding through crowdfunding, private equity or debt. As well as any companies planning an IPO or active with mergers and acquisitions.
- Companies with distressed financials, undergoing a restructuring and/or those emerging from bankruptcy
- High growth companies and companies looking to expand into new products, countries or sectors
- Companies particularly affected by economic movements/downturns
- Companies in certain industries such as: Manufacturers and brands, technology companies, financial firms and institutions, healthcare, and life-science companies.
- In addition to the above risk factors, directors and officers insurance provides a number of advantages including: the ability to attract qualified directors and appearing more professional to investors when approaching a deal.
Recent Trends Increasing The Importance of Executive Insurance
- Newly announced DOJ's Yates Memo now requires misconduct disclosure in order to receive cooperation credits. The Department Of Justice is also implementing the Yates memo to enforcement actions.
- Cyber related litigation is expected to increase in the form of consumer class actions and shareholder class actions and/or derivative claims
- SEC is targeting smaller companies and pursuing more actions through administrative law judges
- Litigation financing is gaining attention and expected to fuel future lawsuits against corporations and their directors.
- Compliance officers are under greater scrutiny
How Do Policies Differ?
D and O insurance terms differ significantly. Some carriers agree to control the defense (taking the burden off of the company and broadening coverage), while others require the company to control the defense. Some policies contain particular exclusions such as “false advertising exclusions” which can severely limit or preclude coverage that is critical for companies like brands and manufacturers. For companies with investors/shareholders, many carriers contain a “majority shareholder exclusion” which precludes coverage for claims brought or maintained by shareholders with more than 5% ownership. These are just a few very simple examples, however there are too many to list. Entire books have been dedicated to the topic of analyzing D&O policies. While these exclusions are typically easy to identify and avoid, much of the exclusionary language is contained deep in the policy language itself, within the terms and definitions. This makes it very difficult for companies to understand what they are purchasing and nearly impossible to perform proper coverage comparisons. It also highlights the importance (and value) of partnering with an experienced insurance brokerage.
FAQ
- DO HOMEOWNERS POLICIES PROVIDE D&O INSURANCE? Simply put, no, they don’t.
- HOW MUCH DOES D&O INSURANCE COST? Policies cost less than many might assume. Policies can range from 1k per year for very small businesses or non profits to 15k for small public companies on up to 100k plus for larger organizations. But often companies may be able to eliminate duplicate coverage from other policies to help offset that cost a bit.
- DOESN'T MY COMPANY'S INDEMNIFICATION AGREEMENT PROTECT ITS OFFICERS? Yes, however, there are situations in which your company may not be able to indemnify you, such as when it is insolvent or prevented from doing so by law.
- CAN A CLAIM PIERCE THE CORPORATE VEIL? Corporate veils do protect companies…to a certain extent. But court rulings can be unpredictable, and in certain situations corporate status can be bypassed effectively exposing the directors and officers’ personal assets. Claims asserting fraud, claims asserted by creditors that suffered from “gross under-capitalization”, and claims related to the commingling of assets are all examples of claims that can result in a piercing of the corporate veil. Companies that are "closely held" are also more likely to encounter such claims.
- AREN'T WE PROTECTED BY THE BUSINESS JUDGEMENT RULE? The business judgement rule has long provided a certain layer of protection to officers when making business decisions. However, without getting overly technical, many recent court cases indicate that the business judgement rule does not provide the same level of protection that it had years ago.
- WHAT SHOULD WE LOOK FOR? There are too many considerations to list here, however premium should only play a small role in that decision - simply seeking the lowest premium will often yield bad results. When shopping for d and o insurance, the most important considerations should be partnering with an experienced D&O insurance broker who can assist with performing an assessment of the policy language and any necessary coverage negotiations. GB&A is licensed in numerous states across the country including New York, California, and Texas (among others).
- FOR MORE TIPS: Please see our D&O purchasing guide.
-
2026 Cyber Insurance Guide, Checklist & Risk Trends
It’s difficult to address organizational risk without discussing cyber insurance. Cyber risk continues to rank as the c-suite’s top concern. As cyber risks continue to evolve, so do the cyber security controls and insurers’ policy forms.
Cyber insurance (also known as data breach insurance) provides protection for cyber risk and cyber related events. Data breaches and theft or disclosure of protected personal or corporate information are simply one type of cyber risk, however there are many. The most common threats today are ransomware attacks and social engineering crimes resulting in fraudulent transfers. Coverage can generally be broken down into two segments; first party coverage, for damages such as lost business income, ransom payments and lost funds resulting from a social engineering scheme, and 3rd party coverage, which would provide coverage for defense/vendor costs, notification requirements, fines, etc. Cyber policies have also evolved greatly from where they began years ago. Today’s modern policies can now provide coverage for a much wider range of claims, such as attacks utility fraud, crypto jacking, litigation involving failure to adhere to privacy policies, claims involving pixel tracking and even deep fakes using artificial intelligence. One of the biggest benefits of cyber insurance policies however, is the response they provide – attacks can be disorienting, creating considerable confusion and urgency. Cyber policies provide a team of panel experts who are immediately accessible and ready to respond.
INSURING AGREEMENTS: THE BASICS
Network Security and Privacy Liability: Almost all businesses transmit, store, or process some form of protected data, whether they realize it or not. In addition to employee data and corporate confidential information, today’s regulations such as CCPA and GDPR maintain very broad definitions of protected information that can range from names and dates of birth to biometric data, to IP addresses. When that data is stolen, accessed or improperly disclosed, this insuring agreement provides coverage for any resulting investigation costs, defense costs, damages, and expenses that arise. It’s important to stress, not all privacy violations stem from data breaches. Employee errors such as lost laptops and/or erroneously emailing a database of protected information would also qualify as an incident. Additionally, many cyber policies can also provide coverage for failing to disclose an incident as well as violations of privacy policies and claims related to improper data collection practices as well.
Media Liability: A form of coverage for advertising and publishing injury, this agreement provides defense costs and damages for claims asserting wrongful acts such as plagiarism, trademark violations and improper deep linking (among others), while publishing content online and via social media channels. Given the proliferation of AI produced content and concerns over plagiarism and copyright violations, some carriers have however begun to implement exclusions precluding coverage for any media generated by artificial systems.
Errors and Omissions (E&O): While not included in all cyber policies, some carriers include an E&O insurance component which provides coverage for financial damages sustained by third parties such as clients and customers, when your services fail. Examples might include software failures, errors in providing media and advertising services, and poor work performed by web designers or IT consultants. It is however important to note that E&O coverage differs greatly. Well structured E&O policies should extend coverage to include claims resulting from breach of warranty, breach of contract and/or claims asserting failure to deliver.
Regulatory Defense and Penalties: This insuring agreement provides coverage for attorney’s fees and costs associated with formal regulatory or administrative investigations. Stronger policies also provide affirmative coverage for any resulting fines or penalties stemming from privacy violations such as those imposed by HIPAA, CCPA and GDPR. These violations and resulting fines can stem from security failures, to improper data collection practices, to deceptive privacy practices, and more. For more information on assessing the regulatory coverage insuring agreement, please see our previously published guide.
Extortion & Ransomware: Provides coverage for extortion demands resulting from ransomware attacks that might hold an organization’s network, website, data or software “hostage”.
Data Breach Response Costs: Data breach response coverage provides coverage for the costs involved with performing a required forensic investigation, and any costs involved with notifying affected parties and providing any required identity restoration and/or credit monitoring.
PCI Coverage: An important coverage for any business accepting credit card payments, PCI insurance provides coverage for fines and penalties arising from violations of PCI DSS requirements such as failing to protect cardholder data or implement proper security controls (firewalls, encrypted transmissions, etc)
Crisis Management Expenses: Data breaches can inflict significant damage to a company’s reputation. Restoring consumer confidence can be difficult. As a form of reputation insurance, this agreement provides coverage for the organization to hire a PR firm in order to help rebuild the organization’s brand and reputation following a security incident.
Business Interruption and Data Restoration: Business Interruption (lost income) caused by cyber incidents such as ransomware attacks, is often one of the most significant damages incurred by affected organizations. Lost income is also just one component of financial damages incurred – there are also considerable extra expenses incurred such as payroll and overtime costs, travel costs, temporary relocation costs, and cost incurred with repairing or restoring any corrupted data or damaged networks. This insurance agreement provides coverage for the aforementioned damages. It should be noted, the scope of business interruption coverage can vary greatly from policy to policy. Some policies may limit this coverage only to security incidents, while others will also provide coverage for lost income resulting from a system outage. Additionally, some insurers may limit coverage only to attacks directly affecting the organization’s own networks, while others will extend coverage to incidents that might affect a cloud provider or business service provider.
E-Crime Coverage: E-Crimes come in many shapes and sizes: Computer Fraud (resulting in direct theft of funds), Funds Transfer Fraud (fraudulent instructions sent to a bank), Social Engineering (being duped into making a fraudulent transfer), and Invoice Manipulation (duping an organizations’ customers to make a fraudulent payment). With e-crimes being a leading source of losses for organizations, it’s absolutely critical to ensure all forms of e-crimes are covered, and perform a careful policy review to ensure policy terms are in order.
CYBER RISK TRENDS
Increasing Data-Breach Litigation: The number of lawsuits (including class action lawsuits) being brought against companies, following privacy incidents, has been steadily increasing. A recent report by IAPP indicates the number of annual cases filed has almost doubled since 2020. This is likely being driven by more effective strategies by plaintiff’s firms improving their pleadings, stricter data protection laws, and courts becoming more willing to hear privacy cases.
Artificial Intelligence Risks: Cyber risk has evolved tremendously over the past few years. One of the most recent developments is the use of artificial intelligence by malicious actors, to spoof high level executives into making fraudulent transfers. Artificial intelligence has also resulted in increased media liability, as organizations use AI for artificial generated content, which can result in copyright and trademark claims. As a result of this increased exposure, insurers have had mixed responses. Some carriers are adding explicit endorsements affirming coverage for such AI spoofing claims, whereas others are remaining silent. Additionally, some carriers are beginning to add specific AI exclusions to their media liability insuring clause, precluding coverage for AI generated media.
Influencers and Social Media: In the context of media liability, the usage of social media and influencers is also creating heightened exposure to claims involving libel, slander and copyright/trademark claims, whose damages may be covered (or partially covered) by the media agreement within a cyber policy. Malicious actors are also knowingly leveraging social media to assist with their attacks. Such platforms may be used to gather information, build trust, or as a weak entry point to gain other credentials. Again, carriers remain mixed with their responses, with some insurers attaching explicit exclusions (particularly to their media liability coverage portion), with others including endorsements confirming coverage for media posted on social platforms.
Biometric Claims: The protection of biometric data (such as fingerprints, and facial recognition) has become of particular importance since Illinois’ passage of BIPA (biometric information privacy act), with Texas and Washington passing similar statutes. Organizations that possess any biometric data such as user’s facial recognitions, or employees’ fingerprints need to be aware of the potential damages involved with failing to protect such data – accordingly the c-suite should perform careful cyber policy reviews, as coverage for such violations may be precluded.
Pixel Tracking: Pixel tracking claims have ballooned over the past few years. Driven by a handful of plaintiffs and plaintiff firms. These claims allege an organization’s use of “pixel tracking” (collecting small bits of user data) is in violation of wiretapping laws. In some cases, organizations may not even be aware that such data is being collected, as plugins may have been installed by hired marketing companies. Policyholders should check their policies, as pixel tracking exclusions are becoming increasingly more common.
Insider Threats: Insider threats appear to be increasing, driven by; outsourcing, continued remote work arrangements, and usage of outside contractors.
REVIEWING POLICY TERMS
Cyber insurance policies are extremely complex, fast moving, non-standardized and difficult to understand. To demonstrate their complexity, when drafting our cyber checklist, we have a count on upwards of 40 exclusions, so outlining all of the important terms, endorsements and exclusions is extremely difficult (if even possible) but below are some good basic recommendations:
Ensure Basic Terms Are In Order: Most policies today have evolved to comply with the below coverage recommendations, however given their importance, it should never be assumed that such terms are already included.
- Definition of Data: The definition of data is an important consideration. Especially for organizations that work more with corporate information which may be further be protected by corporate confidentiality agreements. Some policies take an extremely narrow stance on defining data, simply as, drivers license information, dates of birth and social security information. Others contain more liberal definitions which include health information and corporate confidential information, and any protected information as defined by CCPA/GDPR or similar statutes. Purchasing a policy with a narrow definition can significantly compromise coverage. All policies provide coverage for digitally stored data, however many companies also may utilize paper files as well, such as applications, tax forms, employee records, health records, etc. Some policies contain exclusions for losses arising from the theft or disclosure of paper records.
- Definition of Computers and Systems: Most companies rely on third party software in one form or another. Whether it be a cloud provider, SAAS software or compliance program. Security incidents that affect your business service provider or off site computer systems can result in claims against your company. Ranging from lost profits to privacy violations. It can also result in lost business income. Some carriers include within their definitions, coverage for breaches that affect service providers and offsite computer systems while others intentionally preclude such language.
- Are there Encryption Requirements: While data encryption is a wise recommendation, some companies may choose not to encrypt, or occasionally transmit or store data that is unencrypted. Some policies contain an encryption requirement, precluding coverage for any claims that arise from breaches that affect unencrypted data. As a side note, most cyber insurers will require encryption today and insured’s will likely need to confirm such controls are in place when applying for coverage.
- Are there minimum security standards: Some cyber risk insurance policies contain a condition precedent to coverage, requiring that the organization employ a certain level of security measures. Failure to do so can nullify coverage. Such requirements should be avoided when able.
Secure Coverage Enhancements: Many carriers today will include a number of coverage enhancements. Among those included are coverage for:
- Crypto Jacking and Utility Fraud Coverage: Coverage for attacks where malicious actors takeover computer systems solely for the purposes of mining crypto currencies, causing computer systems to run at maximum capacity, resulting in slowdowns and increased utility costs.
- Bricking Coverage: Covers the costs to replace any hardware that may be rendered inoperable.
- Voluntary Shutdowns: Triggers coverage for business income damages for voluntary shut downs of any systems in order to prevent an attack or mitigate damages.
- CCPA and GDPR Endorsements: Broadens the definition of protected information to comply with regulations such as CCPA and GDPR
- Affirmed BIPA Coverage: An endorsement providing (often sub-limited) coverage for BIPA claims.
- Blanket Additional Insured Endorsements: Vendors and business partners are more commonly requesting to be named additional insured on cyber policies. This endorsement provides affirmative coverage on a blanket basis, where contracts contain such requirements.
Avoid Problematic Exclusions: As mentioned above, cyber policies collectively contain upwards of 40 exclusions. While some of them are standard, others can be very problematic.
- Broad Contractual Exclusions: Most policies will contain some form of a contractual exclusion, however in the context of cyber insurance, it’s important to ensure proper carvebacks are obtained, such as carvebacks for PCI claims, confidentialty agreements and unintentional violations of privacy policies (among others).
- Overly broad war exclusions: Cyber policies often contain wat exclusions, however some are broader than others and could be problematic in the event of a breach. Lloyds of London notably amended their policy language late in 2023 with extremely broad language. Many cyber experts are concerned overly broad exclusions could preclude coverage for certain breaches, such as; situations where servers or networks are located in countries engaged in current conflicts, or those in which hackers claim a political motive or claim to be sponsored by a state sponsored group.
- Widespread event exclusions: Carriers are increasingly beginning to attach widespread event exclusions or heavy sub-limits, which exclude or limit coverage in attacks where multiple parties are affected by a single attack or vulnerability. Each policy is also different in how they define “widespread event” with the most aggressive exclusions only requiring another outside system to be affected. These exclusions should be avoided when able, as such attacks are becoming more commonplace.
- Unsupported (end of life) software: Exclusions precluding coverage for incidents that affect unsupported (outdated) software.
- AI exclusions: Artificial intelligence exclusions are not yet commonplace, however they are beginning to emerge and can pose serious coverage issues, as discussed here. The biggest concern is; the exclusions of coverage for spoofing attacks which use AI to trick corporate officers into fraudulent wire transfers. Another concern however, is; many organizations may be using AI within their cyber security environment, should that AI fail to detect or respond to a threat, or should an organization be affected by an AI launched attack, such an exclusion could nullify coverage.
Ensure Vendors are Approved: Cyber insurers will not consent to incur any costs until a claim has been tendered, and require that the insured utilize counsel and vendors approved by the insurer. In order to ensure costs incurred at the early stage of an investigation are in fact covered by the policy, it’s critical that the organization ensure its breach response plan aligns with its cyber policy’s terms. Any preferred counsel and forensic/IT vendors must be approved or added to the policy’s panel list.
Assess the Policy’s Business Interruption and Extra Expense Limit: As business income damages continue to increase, some insurers have now begun to apply lower sub-limits to their policy’s business interruption coverage. As a result, policyholders should perform an extremely careful assessment of both the policy’s terms and any limits. It’s also equally critical to discuss the carrier’s claim reputation with any insurance broker or counsel, as some carriers have more of a reputation for disputing certain business income related expenses.
Implement “Ancillary” Coverages: One of the most important “ancillary coverages” is D&O insurance, which provides protection against claims brought by shareholders, vendors, regulators, customers, and creditors following a cyber incident. Organizations should also consider crime insurance. While crime insurance provides for many non-cyber losses, such as employee fraud and theft of money on/off premises, in some cases, securing a crime policy alongside a cyber policy can help an organization achieve greater limits pertaining to e-crimes such as fraudulent transfers and social engineering losses.
FAQ
How Much Coverage Do I need? This is a difficult question to answer. As an example, a ransomware attack can take upwards of a month to recover from, so in setting an appropriate ransomware limit, an organization would need to anticipate what a ransom demand might look like (given demands against similar sized peers), what the resulting lost income and extra expenses could total, and factor in the additional costs such as forensics and data restoration. In terms of calculating an appropriate e-crime limit, policyholders should consider the average and maximum value of any given transfer to help develop a baseline limit. . There are a few breach calculators online that may be helpful published by Chubb, At-Bay, and Alexio (for healthcare institutions).
How Much Does it Cost? Simple cyber endorsements for small and mid-sized companies can cost as little as $1,000 per year with broader stand-alone policies at $2,500 to $5,000 per year for a 1 Mill limit. Larger companies and those with greater risk profiles such as healthcare institutions may see premiums upwards of 20k per Mill.
Do Breaches Affect Small Businesses? Yes, it is estimated that 50% to 70% of breaches affect the SME sector (small and mid-sized enterprises)
We Don’t Store any Info, Do We Still Need Insurance? Yes, as we have outlined above, protected information is defined extremely broadly today and most companies process/store/transmit some form of protected data whether that be employee data or user/client data. Breaches also do not solely target networks or protected information, in fact, e-crimes such as social engineering and invoice manipulation are among the leading causes of loss.
What Security Controls Do I Need to Have Implemented: When applying for coverage, most carriers will require the basics from even smaller companies including; fully encrypted data/emails, multi-factor authentication protections enabled, appropriate data backup controls, malware detection and possibly EDR (end point detection). Larger companies and those with a greater risk profile will of course encounter stricter requirements such as intrusion detection/prevention systems and data loss prevention systems.
Will This Policy Provide Protection For Theft of Our IP? No, first party coverage for theft of IP is never covered by network insurance. For more advice on protecting your IP, please see our recent article for BNA.
, basic_html -
EPLI Insurance Guide
Managing employees carries risk - behind every employment decision is a potential lawsuit. Prospective employees that are not hired may believe they were discriminated against, employees working long hours may believe they are not being properly compensated or promoted, and employees that are let go may be believe they were wrongfully terminated. EPL insurance (also known as employment practices liability insurance) provides coverage for defense costs, damages and claim expenses incurred resulting from employment related claims. It also provides a team of specialized attorneys that the organization can consult when making difficult employment decisions, in order to minimize the likelihood of a claim and any resulting damages. For directors looking to perform in depth policy reviews, we have published both a D&O Checklist and EPLI Checklist to assist with coverage assessments.
What Does EPLI Insurance Cover?
As briefly mentioned above, employment related claims can arise from a broad range of accusations. Depending on the business and its industry, certain claims may be more prevalent than others as demonstrated below.
- FAILURE TO HIRE & FAILURE TO PROMOTE: While these claims can affect any business, “failure to make partner” claims are particularly prevalent against law firms, asserted by employees/attorneys, that, after dedicating years of long hours are denied partner status or promised promotions.
- WRONGFUL TERMINATION & BREACH OF EMPLOYMENT CONTRACT: The employment at will doctrine isn’t ironclad and eliminating the position after termination wont always prevent a claim. Employees that are fired may often assert breaches of good faith and/or fraudulent inducement (among others).
- DISCRIMINATION & EEOC ACTIONS: Many companies are male dominated at the executive level and regularly seek younger candidates. Both of which can easily give rise to gender and age discrimination claims. Additionally, the EEOC provides a convenient (and cost effective) avenue to employees that believe they have been discriminated against. These claims are not solely limited to blatant race or gender discrimination. Activities such as: improper criminal background checks on applications and questions related to family medical history on job applications can also result in EEOC actions.
- WAGE & HOUR CLAIMS: Wage and hour claims are filed when employees believe that their employer has misclassified them as an exempt employee, they are working excessive hours, or believe they are not receiving appropriate pay/benefits. Wage and hour claims have grown significantly over the past few years. Even claims without merit can be costly to defend.
- SEXUAL HARASSMENT: Workplace sexual harassment can assert a myriad of accusations including improper comments, inappropriate advances, and unwelcome conduct. Industries which are male dominated with a younger workforce (such as technology companies and financial firms) are increasingly exposed to such claims.
- 3rd PARTY CLAIMS: Third party EPLI insurance is particularly important for businesses with a large client base and those that deal a lot with the public such as retailers, restaurants and commercial real estate owners. It provides protection against claims asserted by customers, vendors and other 3rd parties. These can range from violations of the ADA act (such as failing to provide wheelchair access) to accusations of sexual harassment to discrimination claims by clients alleging they were discriminated against or did not receive the same level of professional attention. Not all policies provide 3rd party coverage, which is why it is important to perform a careful assessment.
How Is EPLI Purchased?
- EPLI ENDORSEMENT: Adding an EPLI endorsement to an existing liability policy is one approach to purchasing coverage. This approach however does have its downsides. Often, coverage is sub-limited to a limit of 100k, 250k or 500k (inclusive of defense costs) which often does not provide enough coverage. Additionally, the coverage provided is usually relatively basic. For example, among other claims, these endorsements usually do not provide coverage for: wage and hour claims, claims asserting breaches of employment contracts, or 3rd party claims asserted by clients or vendors. While an endorsement may be acceptable for small businesses, organizations seeking broad coverage will want to avoid such endorsements.
- D&O POLICY: Packaging EPL insurance through a D&O policy is generally the most common approach for many reasons. Most importantly, the coverage provided is broad. Employment claims also account for a considerable percentage of claims asserted against private company directors and officers. Lastly, it eliminates the need to manage multiple policies and is cost efficient for what it provides.
- STAND ALONE POLICY: There are four main reasons companies may prefer to purchase a separate, stand-alone EPLI insurance: 1) companies interested in preserving their D&O limits solely for “true” D&O claims, 2) companies disinterested in D&O coverage and looking to obtain a more cost efficient EPLI policy without including D&O, and 3) companies that have sustained prior claims making it difficult to package with their D&O insurance, and 4) organizations seeking the broadest possible coverage with terms they can more easily negotiate.
Basic Terms Of EPLI Insurance
- DUTY VS NON-DUTY TO DEFEND: The duty to defend is an important element within professional and management liability insurance policies. It effectively tenders the responsibility of the defense onto the insurance carrier, removing the burden from the insured. In addition it also provides a team of experts for consultation. Most companies will want to avoid purchasing any policies that are written on a non-duty to defend (duty to indemnify) basis.
- DEFENSE COSTS: When setting policy limits, employment practice insurance policies can be written one of two ways: 1) with defense costs included in the limit, or 2) defense costs “outside” of the limit. Being that defense costs account for such a significant portion of the claim, this is an important area of critique. A policy with a 1 Mill limit which is inclusive of defense costs provides substantially less coverage than a policy with a 1 Mill limit which provides defense costs “outside”. Arguably, such a policy could be viewed as effectively maintaining a 2 Mill limit or higher.
- DEFINITION OF “EMPLOYEE”: As is the case with all professional and management liability insurance, all definitions must be reviewed carefully. Definitions of employees are however particularly important and should include: 1) partners, managers, LLC members 2) part time employees, interns and volunteers, 3) independent contractors and 4) prospective and prior employees.
- MISC EXCLUSIONS: While the above serves as a very general guide to some of the more important terms/exclusions contained within EPLI policies that are still man others that require assessment (and negotiation) such as exclusions for breaches of employment contracts and/or regulatory/EEOC actions.
Recent Trends Increasing Employment Claims
- Gender (and trans-gender) equality issues are posing new challenges for corporations
- Pay equity claims are sprouting up in certain states (such as NY and CA) alleging compensation disparities between races, genders, etc.
- Genetic discrimination claims are on the rise.
- The EEOC has been actively pursuing companies for improper use of criminal background checks on employment applications.
- Website ADA (americans with disabilities act) claims are on the rise brought by persons with disabilities asserting that they are unfairly being denied access to websites which do not provide proper audio/visual assistance.
- Mobile devices make it easier than ever for employees to record and document questionable workplace practices.
- Social media is creating workplace challenges for companies who are basing employment/termination decisions on employees’ social media usage
- DOL (Dept Of Labor) has been discussing the implementation of new overtime laws which would qualify previously exempt employees
- Many industries, such as the tech and finance sectors actively seek younger persons, resulting in inadvertent potential age discrimination based claims.
FAQ
- AREN’T EMPLOYMENT CLAIMS COVERED BY MY LIABILITY POLICY? Maybe. As we have referenced above, some policies do extend some coverage via a basic endorsement. However these endorsements generally only provide a basic level of coverage subject to usually low sub-limits which may not provide enough protection.
- HOW MUCH DOES EPLI COST? EPLI insurance premiums depend on a number of factors. The number of employees, and business industry are the most obvious rating factors. Generally speaking, a basic EPLI endorsement for a small company may cost as little as $300, while stand-alone policies and coverage purchased under D&O packages will often begin at $1,000.
- DOESN’T THE EMPLOYMENT AT WILL DOCTRINE PROTECT US? The short answer is no. Employment at will doctrines may protect companies from some wrongful termination claims but it does not eliminate the possibility of lawsuits entirely. Wrongful termination claims are also only a small portion of potential claims against directors & officers of a company. There are a myriad of others as highlighted above.
-
Menu