New Articles

Your Business Needs Insurance


Your Business Needs Insurance

Many startups perceive insurance as a luxury, shelving it until they are further along in the company’s lifecycle. However, any business serious about sustainable growth should not postpone this decision.

There is always a risk is involved in the process of starting and growing a company. Having adequate insurance is key to the success of your business and an issue every business owner needs to consider. Business insurance for startups provides valuable protection against the unexpected. Without coverage, threats like theft, fire, data breaches, or lawsuits could disrupt or damage your business.

Once you understand how insurance is vital to your business, you will be better positioned to determine how much of it you need. Business owners must weigh the cost of insuring against various risks and the economic impact of an uninsured loss.

Running a business comes with inherent risks. Protecting your assets is important, yet many new companies often have insufficient insurance. How much insurance should a new business owner secure, and what are the liabilities for being uninsured? That all depends on the needs of the business.

The startup ecosystem is diverse and may or may require different types of coverage. For example, startups that work in the software area will have to protect themselves most from client lawsuits alleging professional liability. Startups working in biotech, proptech, or fintech face constantly changing and often unclear regulatory requirements may need to focus on compliance first.

Thoughtful diligence is needed during the process of deciding on the type of business insurance your startup needs. What kind of insurance best fits your startup? What is the appropriate amount of coverage? Do I need insurance this early in the game? Below are a handful of reasons your business should have insurance:

The Law Requires it

The Law requires businesses with employees to have certain types of insurance: Unemployment, workers’ compensation, and disability are a few.

Failure to carry required coverage could result in fines, penalties, and “cease and desist” orders.

You Could Get Sued

If a liability claim or a lawsuit is filed against you and your business is without insurance, there could be serious and very costly implications. Even winning could cause you to go out of business due to the cost of legal defense. Liability insurance allows you to concentrate on what you do best, running a profitable business.

Insurance Keeps You Up and Running

What happens if your business is affected by an earthquake or flood? P&C insurance covers loss of property, equipment, etc., income lost during a business closure. Business Owners Insurance (BOP) can play a critical role and help a company survive protecting against income loss. BOP also compensates for everyday operating expenses you may have otherwise incurred during that time. Some companies choose to insure lost income and include protection to pay employees for up to 12 months.

Required in Contracts

Some variables come into play when it comes to insurance and contracts: If you lease or rent, the landlord’s policy may not cover you, and you may need to carry insurance. The loan agreement likely contains an insurance requirement if you borrow money to finance buildings, equipment, or operations. Client contracts could specify that you carry insurance.

Common types of insurance businesses should consider:

Workers’ Compensation Board (WCB)

Your business is growing. How do you know if it is time to protect it with workers’ compensation insurance? Most business operations will be required to have workers’ compensation coverage. This covers workers’ medical and wage-loss costs if an employee is injured or contracts an occupational disease while on the job.

Directors and Officers Insurance

D&O insurance is for businesses that are incorporated. In general, D&O insurance provides coverage against the wrongful acts committed by directors and officers. Are you looking to raise money? Many institutional investors, such as venture capital firms, stipulate that a D&O policy must be in place as part of the term sheet before the financing is complete.

Employment Practices Liability Insurance: As your company begins hiring, consider EPLI Insurance. EPLI protects your company from employment-related lawsuits such as sexual harassment, discrimination, wrongful termination, and more.

Technology Errors & Omissions Insurance: A startup providing professional services based on professional expertise should consider E&O insurance which protects against claims that allege damages arising from technology services you have provided. Your customers and partners may even require it.

Fiduciary Liability Insurance: If your company offers employee benefits such as health insurance, stock options, and other benefits, you probably have a person responsible for handling these benefits. FLI protects your company and your employees if someone responsible for these benefits makes a mistake for which they can be held liable.

No company owner can predict what might happen down the road. In a perfect world, natural disasters, injuries on the job, or lawsuits never came to pass, but there is no guarantee that such things won’t happen. For that reason alone, it’s best to have your company insured.


André Thiollier is a partner with Foley & Lardner LLP


Understanding Cyber Liability Insurance: Securing System Access to Secure Coverage

Organizations purchase cyber liability insurance as a way to mitigate the impact of data security incidents. However, as with any liability policy, cyber risk insurance incorporates a set of exclusions that allow insurance companies to deny coverage. While most policyholders and insurance professionals assume that external monitoring acts as the only way to ensure coverage and reduce the likelihood of costly coverage litigation, digital transformation has shifted the perimeter away from external controls such as firewalls towards a more focused approach on identity and access.

Understanding Cyber Insurance Exclusions

Everyone reads the Insuring Agreement, or the part of an insurance policy that provides coverage. Typically, this section lists out all of the events for which an organization can submit a claim. For example, many cyber insurance policies will cover unauthorized access to systems, networks, and software that leads to a data security event.

However, as in life, all promises come with conditions. In the insurance world, conditions are called the exclusions, or the activities that are reasons allowing an insurance company to deny coverage. Generally located at the end of a policy, these may seem logical. For example, in a cyber-risk policy, an insurer does not need to cover the loss if the policyholder failed to enforce reasonable security practices and systems maintenance procedures.

In other words, if a data security event is the result of failure to enforce best security practices, the insurance company can deny the claim.

Why Identity and Access Matter to Data Security

As evidenced by the recent Twitter breach, cybercriminals increasingly target users as a way to gain unauthorized access to privileged locations in an organization’s IT ecosystem. This tactic makes sense in many ways because privileged accounts traditionally have universal access to an organization’s most important services and data.

For example, to do their job, IT administrators need nearly unfettered access to an organization’s ecosystem. They need to create accounts and grant access to other users. However, that also makes them a high-risk user. They could conceivably create fake accounts and grant themselves privileged access then engage in malicious data theft or credential theft, moving around in the organization’s systems and networks without looking suspicious.

Similar to the Twitter breach, this type of activity is hard to recognize unless the organization is actively monitoring who has access, how they use their access, what they access, and why they need it.

Enforcing Identity and Access Controls as Data Security Best Practices

Data security best practices pose problems for organizations as no set definition exists because cybercriminals continue to evolve their methodologies. With most organizations embracing remote workforces for the foreseeable future, on-premises security controls no longer provide the necessary protection. In order to secure data and protect privacy, companies should look to the Identity perimeter to limit access and monitor privileged access within their ecosystems.

Enable Zero Trust

Zero trust, aka “never trust, always verify,” is a cornerstone of enforcing identity. This is widely becoming not just best practice, but a table stakes identity and access management strategy – especially for users with elevated privileges. In a business application landscape overrun by phishing and brute force attacks, there is little confidence in usernames and passwords being the primary driver for identity and access management. That’s not to say that usernames and passwords don’t have their seat at the table, but they can’t be sitting alone. Combining them with dynamic controls that evaluate the context of access to determine risk is critical. Trusting the same access privileges, no matter what the circumstances, will lead to security threats. IT leaders must assume that cybercrime can circumvent their perimeter identity controls and be acting accordingly.

Apply the Principle of Least Privilege (PoLP)

The first step to creating best Identity and Access Management (IAM) practices is to ensure all users have only the access they need to fulfill their job functions and nothing more. For example, someone in human resources (HR) might need access to an employee’s address, but that individual may not need all the banking information attached to the record if they are not in the payroll area.

Enabling PoLP Using Attribute-Based Access Controls

For legacy business applications, PoLP is a non-starter because access governance is dictated by static, roles-based access controls (RBAC). For example, an HR manager needs a certain set of rights within the organization’s system. However, RBAC only limits access based on what the user does in the company (unless manually changed). With attribute-based access controls (ABAC), organizations can set additional contextual attributes such as geographical location, IP address, or time of day. This additional context allows the organization to limit access to high-risk resources on a more detailed level. With the explosion of remote work, ABAC provides a way to limit users’ access when the organization has determined that a location or time of day would be considered riskier. For example, someone using a public WiFi is at a higher risk of a man in the middle attack than someone using their home WiFi. If the organization sets trustworthy IP addresses, users cannot access sensitive information from public WiFis, reducing the attack surface.

Continuously Monitor Access

The same continuous monitoring mantra that exists at the network perimeter also holds true at the Identity perimeter. With user access monitoring, organizations can review the resources accessed to ensure they are appropriate to the users’ needs. Organizations need a way to detect suspicious access to sensitive information. For example, if an HR representative is accessing healthcare information at 2:00 AM, the organization needs to know whether that employee typically works late at night or whether this is an outlier signaling a potential data security incident. Without visibility into when and how users interact with data, organizations cannot prove that they enforced their access policies as a best practice.

Digital Transformation, Remote Work, and Securing Coverage

Digital transformation, accelerated by the rapid move to remote workforces, streamlines productivity but also increases risks. With more users connecting more devices from more places at less regular times, identity and access is an integral part of an organization’s data security.

Establishing and enforcing strict access policies is now more important than ever before. Malicious actors will continue to look for user accounts that act as back doors to organizations’ systems, networks, and software. In order to secure cyber liability coverage, companies need to be more actively engaged in monitoring access and mitigating potential threats arising from compromised accounts.


Piyush Pandey, CEO at Appsian ( is a technology executive with 19 years of global experience in strategy, sales, mergers & acquisitions, and operations within software companies. Over the last 10 years, he has worked with enterprise software companies including Oracle, Epicor, Concur, Citrix and Microsoft on various transactions. He has held various leadership positions at Procera, Deutsche Bank, Stifel, Wipro Technologies and a wireless startup.