As technology becomes increasingly embedded within financial institutions, it is arguable that through the inclusion of aspects such as proprietary software and embedded finance, even the most traditional businesses now need to consider whether their existing insurance arrangements cover their full range of risks. Now more than ever, it is crucial that firms ensure their insurance policies are aligned with the scope of the services they provide. Not all insurers are able to provide Tech Professional Indemnity, and not all brokers have access to the specialised subset of insurers that can. Asking the right questions around whether you are covered for technological services, as opposed to solely professional services, is a sensible piece of diligence that all impacted firms should raise with their insurance broker.
Traditional PI policies centre on claims alleging negligence in the provision of professional or financial services. This coverage is typically predicated on there being a contract for services with a client, with the claim relating to a wrongful act alleged to have occurred while providing those services to a third party. Where Tech PI differs is that it contains policy triggers that may not fall within this traditional provision of services. For example, system outages, intellectual property infringement, data breaches, or software bugs may fall outside the scope of many traditional PI wordings. Furthermore, exclusions commonly found in traditional PI policies can remove cover for proximate causes of loss such as mechanical breakdown, including software failure, which clarifies that there is often no intent to cover failures arising from technology-based services.
Outside of the policy contracts themselves, transparency in the representation of a business is also essential. Market-standard proposal forms often struggle to capture technology businesses with multiple and evolving operations. For the terms provided to accurately reflect both the scope of work undertaken and insurer intent, the presentation to the insurance market needs to go beyond simply completing standardised forms. As a minimum, we would suggest providing supporting information including a business plan or presentation deck, draft terms of engagement, the latest reports and accounts, company policies relating to information security, data protection and data breach response, and CVs of the principals of the business.
The above may appear to be an emphatic call to action; however, the potential impacts and consequential losses that can stem from technology system failures make this a necessity in our view. While businesses will often have liability caps in place with clients, recent events demonstrate that claims for damages can fall outside of these limits. Examples include Blackbaud facing a $3m penalty in 2023, the CrowdStrike incident causing estimated financial damages in excess of $10bn, and industry estimates suggesting insured losses from the Amazon Web Services outage were up to £436m at the upper bound of the range.
Positively, as technology has evolved, so too has the insurance market, and there are now a select number of insurers offering Tech PI cover. This provides competition and comparison of both coverage and pricing for clients seeking insurance solutions. In addition, complementary coverages can be packaged with these same providers, allowing clients to utilise a single insurer for Directors’ & Officers’ Liability, Crime and Cyber Liability alongside their Tech PI coverage.Navigating this landscape and obtaining appropriate terms requires a broking partner with experience of, and access to, the specialist insurance market. At BMS Group, our approach is to ensure every client has access to senior and experienced personnel, enabling them to navigate the insurance market and achieve their desired outcomes across both technology and financial risk insurances.
The CrowdStrike Incident – A Wake-Up Call for Insurers?
Loss estimate for AWS outage between $38m and $581m | Insurance Times