A Blog on managing risk in the Technology Sector

Managing Risk in the Tech Sector

Leave a comment

Avoiding Your Start-up’s Funeral by Better Managing Risk

Entrepreneurs by definition embrace risk and for any new start-up, the odds are stacked against you, going in. According to a 2012 study by Shikhar Ghosh, a senior lecturer at Harvard Business School about 75% of venture-backed firms in the U.S. don’t return investors’ capital.

However, in spite of the statistics, Entrepreneurialism is alive and well. Those who succeed and succeed well, do it, partly through a keen awareness and management of the risks, they embrace. In order to increase your odds of start-up success, your approach to risk management should be methodical and considered.

There are many ways in which risks are categorized and sub-categorized but boiled down; all risks have two key components: the assessed likelihood of the risk materializing and the assessed impact of those potential consequences on the business and its success in achieving its stated objectives.


High Likelihood

Low Impact

High Likelihood

High Impact

Low Likelihood

Low Impact

Low Likelihood

High Impact

Once you are able to map the risks into the appropriate quadrant, you will be able to effectively decide how to respond to each risk with your limited time, focus and resources.

For example, many of the risks falling into the low likelihood/ high impact quadrant are transferable to another party through insurance. These could include: litigation risks, the death or incapacitation of a management team member, the loss of your physical assets from fire or theft or the insolvency of a major debtor.

For those in the low likelihood/ low impact quadrant you are unlikely to expend any meaningful resources or time over.

For those risks you’ve identified as high likelihood/ low impact, the challenge will be to identify solutions or seek changes in behavior to reduce likelihood of the risk arising or reducing its impact further should the risk arise. These risks will have a negative impact operationally but are unlikely to sink the boat.

Those risks in the high likelihood/ high impact quadrant are oftentimes the killers for many start-ups whether it comes from insufficient demand for your product or service, burning through too much cash, falling foul of regulatory bodies, a failure to recruit, motivate and retain qualified staff, being out-spent on marketing by your competitors – the list goes on.

The practice of identifying, assessing and responding to risks is what many entrepreneurs, simply regard as ‘doing business’. However integrating a risk management framework into your business planning in a tailored and non-bureaucratic way, will go some way, to ensure you are not taking on unnecessary risk, pursuing the right strategies and focussing your time and energies on the right things.

Leave a comment

Hurricane Sandy: Negotiating an insurance claim is an art not a science

According catastrophe modelling firm Eqecat, ‘Superstorm’ Sandy could result in up to $20bn in insured losses – possibly making it the third costliest storm in US history. Total economic damage will be in the range of $30-$50bn. The estimates seem to be increasing by the day as the real impact of the hurricane is realized.

As New York slowly starts to return to work, those of us in the insurance industry are expecting a potential unprecedented number of claims to be made. What is less sure, is how the insurance carriers and how the policy language will respond.

As with all insurance contracts, the devil will be in the detail. Policyholders who have suffered a loss and will be submitting a claim should review their policy wording with their broker to determine:

  • Do their policies cover business interruption losses as a result of government action e.g. evacuation by order of government or is coverage contingent upon material damage?
  • Property damage has been caused as a consequence of wind, water damage, snow, fire, inland flooding and storm surge. Determining the cause of the loss for a claimant could be vital to coverage – for example most policies that exclude storm surge flood coverage afford limited coverage for flooding caused by sewer or drain back-up.
  • Other businesses may suffer a loss due to the impact of the storm on their customers or suppliers. Some insurance policies cover these types of contingent business interruption losses others will not.
  • Sandy was downgraded to a post-tropical storm just before it made landfall in New Jersey. This fact has one important consequence to insurers and policyholders – will insurers be able to enact a hurricane deductible, typically a % of the loss, as opposed to a flat deductible. The states of New Jersey and Maryland have already issued bulletins stating hurricane deductibles should not apply.

Insurers could be exposed to different rulings on coverage as each underlying policy would be subject to its own governing law and jurisdiction from state to state.  CBS news reported that the Hurricane’s impact covered across 20 states.

The good news is, despite suffering through a soft pricing market since 2005, as a whole the industry is well capitalized to withstand this type of loss. However, one of the first things I learnt when entering the insurance industry is that a policy is only a promise to pay and not all promises are equal.

Responding to and adjusting a large property and business interruption loss is an art, not a science and this is where appropriate contingency planning and broker loss adjusting support can really matter. At Bartlett, we employ a ‘Major Loss Advisor’ to respond to these kinds of losses. This ensures that the loss adjusting process is managed with minimal hassle and maximum support and our clients insurance policies respond as they were designed to – in our clients’ best interests.

Leave a comment

The Cost of a Data Breach – $3.94 or $194 per record? Unpicking the numbers.

Data breaches and identify theft is a common news story nowadays.

Although it’s usually the more high profile cases such as Sony, Linkedin, Wyndham Hotels and Zappos that you tend to read about, smaller and medium size companies are frequently the victims  of malicious or criminal attacks leading to data theft or inadvertently breach customer or third party data through negligence of their employees or ‘glitches’ in their IT systems.

According to the Identity Theft Resource Center, 23 million confidential records were exposed in 2011. 2011 also saw the expansion of what courts consider to be personally identifiable information (PII). After breaches at marketing firms Epsilon and Silverpop, email addresses are arguably considered as PII. The broadening of this definition, places further burdens on companies to ensure they comply with the notification requirements enshrined in both state and federal law, following a breach involving personal information.

Data breaches and cyber crime can cost organizations millions in fines, legal damages, notification costs, public relations expenses and loss of profits.  In a recently released report by NetDiligence, the average cost per breach was $3.7m, with the average cost per record at $3.94 per record. This data was driven from 137 insurable events that occurred between 2009 and 2011. As the report correctly points out the sample is a small subset of total data and only focuses of those costs which the insurance carriers incurred.

Another authoritative report is the annual benchmark study carried out by the Ponemon Institute. In 2011’s study, the cost of a data breach was reported at $194 per record and $5.5m per breach.

So which number is correct?

The Ponemon report studies 49 U.S. companies in 14 different industries and examines a wider range of business costs following a data breach including expense outlays for detection, escalation, notification, impact of lost business and cost of increased customer turnover or churn. As the NetDiligence report also points out – we shouldn’t get too hung up on the cost per record. Although notification costs will correlate to the number of records, the legal and forensic costs are more likely to correlate to the complexity of the breach and the specific requirements of the industry.

As one study focuses on insurable costs and the other on total business costs, we can infer a number of conclusions from the studies:

(1) Not all your exposure is insurable – it’s important your broker or risk manager is able to clearly articulate what coverage is being offered. Cyber insurance is constantly changing and responding to emerging risks and new legislation. As there is no standardized form in the market place, as a buyer you must be fully informed of the coverage and exclusions being offered. Don’t stick your head in the sand and wait for a claim to come in!

(2) Only 10% of the NetDiligence study sample includes first party claims. That is first party expenses (excluding notification costs and other ‘crisis’ services) and loss of profits following a data breach. The variance between the two studies, would suggest that first-party losses make up the bulk of an organization’s exposure.

(3) As the Ponemon study notes, companies are becoming better at employing data loss prevention strategies and response plans. Those companies that are better prepared benefit from reduced losses when a data breach occurs. The Leading insurance carriers will offer support in implementing such strategies and plans as part of their overall service –indeed cover will often be contingent on implementing such controls. The variance in costs may also indicate that the insurance carriers are underwriting the better quality risks.

The overall variance between the two studies show that risk transfer through insurance is not a panacea but only one of several strategies companies should employ to reduce their exposure to data breaches. Those companies working in the financial services, healthcare, retail and technology sectors continue to have a significant exposure.

Leave a comment

How neglecting to read your E&O insurances could leave your Tech company with a large legal bill

There are over 20 carriers offering E&O insurance for technology companies, to protect companies from the potential devastation of a lawsuit. However the quality of coverage they are providing varies considerably.

Throughout the insurance world, E&O policies typically provide coverage for occurrences involving professional negligence – essentially these policies are a type of malpractice insurance for companies providing professional services. The coverage has generally provided protection for an insured’s liability in tort and not in contract.

Technology companies blur a traditional divide between those firms providing a product and those providing a professional service. For example, commentators have debated whether software or other technology products are a “service” or a “product”. In reality, many technology companies’ activities will include both the development and sale of a good (e.g. software) and the provision of a service (e.g. installation, calibration, design, consultancy).

The distinction between whether the insured is providing a service or product is an important one. In the U.S. ‘pure financial losses’ ( i.e. losses to a third party without personal injury or property damage) caused by a defective product will not be recoverable in tort while pure financial losses due to negligent provision of services are normally actionable as a tort.

Many (but certainly not all) carriers will limit claims alleging a breach of contract against an insured through either a blanket exclusion in their policy or excluding any claims arising from contractual obligations which go beyond the duty to exercise a degree of care or skill consistent with industry standards.

The third party in Technology E&O claims is almost always the insured’s customer and as such these claims generally arise out of a contractual relationship. Oftentimes due to the nature of a technology company, it is difficult to distinguish between what is negligence in the provision of services and that which gives rise to a breach of contract claim due to a defective product.

As a result, while the claim or suit may also include non-contract claims such as negligent misrepresentation or fraud (often asserted in an attempt to avoid liability or damages limitations in the contract), the heart of an E&O claim is almost always the breach of contract. This leaves a considerable amount of ‘grey’ area for those carriers whose policies restrict breach of contract claims. For those who exclude breach of contract claims altogether, the insured and insurer will be left with the task of distinguishing  between what part of the claim relates to the insureds liability in tort and what part relates to a breach in contract. The latter would not be covered by insurance.

According to Karen I. Johnson, Complex Claims Manager for Travelers Insurance, “In almost all [technology and manufacturing] E&O claims/suits, there would be no basis for holding either party liable to the other absent of the existence of the contractual relationship. For this reason, purchasers of E&O coverage should carefully consider how the various coverage offerings treat breach of contract claims.” 

For technology companies looking for clarity with respect to what protection they are buying, reviewing your policy exclusions with your broker is a must. Contractual liability is just one of several exclusions, which can greatly restrict coverage under an E&O policy.