Insuring Startups Against Operational Risks : Starting Up & Right : Episode 10



Trae Nickelson: Hello, welcome back to Starting Up & Right: Conversations with a Startup CFO. I am Trae Nickelson, your co-host. With me is Ryan Keating, your CFO and other co-host. Hey, Ryan.

Ryan Keating: Hey, how are you? Good to see you.

Trae: Good to see you too. Today, we're talking a little bit about risk. I know as a CFO, you talk a lot about reducing the risk. Especially in fundraising, you're reducing the risk of your investors. You're communicating that on a pitch deck. Today, we're going to talk a little bit more about operational risk and some of the risk as a CFO you have to advise your clients, the startups to consider as they make their way through the different growth stages. Joining us today is Beau Freyermuth, a vice president at HUB International, one of your go-to resources for this type of product and discussion. Tell us a little bit about Beau, HUB International, and when you think of reaching out as a CFO.

Ryan: I'm looking forward to this. I've worked with Beau for well over a decade. He's been supporting our startup clients. It's amazing to me how much value he can bring to the table when we'll just have a very simple request like, "Help us figure out risk," [chuckles] and his ability to really dig in and look at the different products, and not just products for the sake of offering products but products based on where the company's at in their fundraising, in their growth, in their product development. Are they foreign, domestic operations? Are they pre-revenue, post-revenue?

He really takes the time to look at where the clients are at and what they need at that point because it changes. Just like risk with all of our clients as they grow, as they expand, as they bring on more capital or bring on more clients, your risk will change. That's one of the things I really enjoy about working with Beau is he has the ability to really double-click and dig in as to where are they at today, what is too much, what is overkill, so to speak, what is required, and really advise our clients accordingly.

Trae: Got it, perfect. Well, with that, let's bring Beau on camera. Hey, Beau, welcome to the show. Thanks for joining.

Beau Freyermuth: Hi, thanks, Trae. Thanks, Ryan. I appreciate the opportunity to speak with you today.

Trae: Ryan framed it up, but just tell us a little bit about yourself, about HUB international, and what you do over there. We'll dig into the details after a little general intro.

Beau: Sure, of course. Beau Freyermuth, as you said, vice president at HUB International. I've been an insurance broker focusing on commercial insurance, business insurance for about 20 years now. My partners and I worked at a company called Sweet & Baker in San Francisco and we really focused on technology companies, startups, tech businesses in the Bay Area. As a function of where we were located in San Francisco, we ended up selling that business to HUB International, a much larger organization, five years ago. HUB is the fourth-largest brokerage in the world. Acquiring Sweet & Baker gave them a jumpstart on really working on those technology companies in the Bay Area.

Ryan: All right, Beau, as a company moves beyond the initial step of incorporation and you've mentioned the default policies, your general liability, your workers' comp, we've noticed an inflection point where a company will set up a contract, have some sort of contract. Oftentimes, it's maybe a lease to move into an office space, sometimes it's for some co-development, you name it, but there's a contract in place.

There will often be insurance requirements in that contract. I know from working with you a lot, not only do you advise on what you need, but you also push back on what's an overreach. Maybe walk us through that and how as a company is progressing through these stages what they might be expecting.

Beau: Yes, absolutely. I think it's a very important topic to discuss because one of the most common requests I get from startup businesses is they ask me, "We received this contract and it has a section on insurance listing all these different types of coverages and limits. What do we need? What should we buy here? What's a reasonable request and what isn't?" Those contracts can come from all different angles.

As you mentioned, leases. As soon as a business engages in a lease to take on office space, the lease is going to have an insurance requirements section. Anytime they engage with a new client, the client's going to ask them to show evidence of coverage. Every one of those contracts is going to have those foundational policies, general liability, workers' comp, what's called employers' liability, which is also synonymous really with workers' comp that's built into a workers' comp policy, and then various others.

The limits of coverage are different on every single contract I've ever seen. Where I can add value to these companies is trying to determine how much is being asked of them, how much coverage, what types of coverage, and what those limits are. A lot of times, these contracts are boilerplate documents. They show what was used on the last engagement and the limits are inappropriate for this startup business.

That's a pretty typical conversation, right? I can tell them these types of insurance are a standard request. The limits of coverage are sky-high. You should go back to them and tell them you don't have these limits of coverage and that you do have the limits you have and they should be acceptable. That, again, usually results in an adjustment to the contract and to the startup's benefit.

Trae: Just listening to you guys talk so far even, I realize I need just a basic primer or 101 here because there's E&O, there's D&O, EPL. I don't know what any of that is. Can you just go through the highest-level definitions for my vocabulary here, I guess?

Beau: Of course. Let me just run through the basics. General liability is coverage for claims alleging bodily injury and property damage. It makes sense that a landlord would ask you to have it. If somebody's in your space on your location and they slip and fall and get injured or their property is damaged, you should have coverage for that. Property coverage is, as it sounds, protection in the event that your property is damaged or stolen, which can be a valid type of insurance for technology companies specifically to buy if they have servers or they've done a big remodel on the space they occupy and they're responsible for the retrofit, so that's the property.

Workers' comp is coverage for claims alleging employee injury or illness. Workers' comp is the only type of insurance required by law. As soon as you generate the first dollar in payroll, you need to put worker's comp coverage in force. Those are, again, the fundamental, foundational policies for a business. Moving on to more business-specific, there's E&O, errors and omissions coverage, which is also referred to as professional liability.

E&O is coverage for claims alleging financial loss. A customer says, "You assured us that you would provide this service and it would result in whatever gains and it didn't. We actually lost money" or "The product you sold us was supposed to give us financial benefits and it actually caused us to lose business." Something along those lines would result in an E&O claim. The policy is going to cover defense costs, legal fees, as well as a settlement brought against you in that case.

Next up would be D&O, directors and officers insurance. D&O is similar to E&O in the sense that it provides coverage for claims alleging financial loss, but the coverage is provided to individual members of the business. That could be executives. It could be regular employees in the business, it could be board members, and it could also be investors. An investor in a business is actually covered under the business's D&O insurance, which makes it popular with investors.

Next up on the list would be EPL coverage, employment practices liability. EPL covers two areas really. One is first-party claims, meaning an employee of the company sues the company for things like harassment, discrimination, wrongful termination, failure to promote. In some cases, wage an hour, which would be not paying the employee enough money for the work they've done, and so forth. That's the first section.

The second section will be third-party claims of the same nature. Things like harassment or discrimination. Say a customer claims those things, right? On a sales call, they were harassed, discriminated against. You wouldn't sell them your service or your product because of the color of their skin, something along those lines. That's the EPL coverage. Lastly, important to point out, is cyber liability, which Ryan already mentioned. It's also referred to as privacy liability. This is the most popular type of insurance right now, unfortunately.

Cyber liability coverage protects a business in the event that they suffer some type of a data breach or a hack, a ransomware demand, something where an outside entity infiltrates the security systems of the business and causes either first-party damage, damage to the business, to their network, to their computer systems or their reputation, as well as third-party coverage. Anybody whose records you have access to or that you store that's adversely affected by that breach would also be covered under the cyber liability policy. Those are the key policies to consider and a high-level overview of what they do.

Trae: Very helpful. Thinking through as we're discussing with Ryan the different stages, I can see where these would apply and become much more important as you reach the different inflection points in the startup growth.

Beau: Yes, absolutely. There are a few different inflection points that trigger the necessity for each of those types of policies. The D&O, starting there, the big trigger for D&O is a funding route. As soon as an investor engages with a business and offers $20, $30, $50 million for the business to assist in their growth, they may ask for D&O insurance because, again, an investor is listed as insured under the D&O policy.

Ryan: All right, along with fundraising, we talked about D&O. I know there's other policies or insurance requirements that can come up. What do you see in addition to D&O sometimes tied to fundraising?

Beau: It's a good question. Every fundraise is different. Every one of these engagements has its own requirements. What I would say is unique to fundraising rounds is the request for what's called key person insurance. Unlike other types of commercial insurance policies, key person insurance is actually a life insurance policy. It is commercial coverage because when a policy is written, the business, the company is the beneficiary of that policy.

Really, the way that policy is written is it's a life insurance policy on that key person in the business. A good example of that would be a company that has patents. Say a new company has a suite of patents that they're using for their business, but the patents are in one of the executives' names individually. In that case, that person is a crucial part of the operation.

If something was to happen to them, the company would need to make sure that they absorb that patent and become the listed patent holder. That can come with a cost, right? What you do in that scenario is you buy a key person life insurance policy. You put that policy or you underwrite that policy based on that individual's health and age and whatever else goes into underwriting a life insurance policy, but the business is the beneficiary.

If something happens to them, the policy pays out, pays the company. One thing that companies don't typically understand is that that's only one piece of that puzzle, right? The second piece is what's called a buy-sell agreement. This is actually not an insurance product. It's a legal contract, an agreement that's put in place to sidecar with that key person policy to make sure that if that policy is activated and the money is paid to the company, that money specifically goes to buy out the patent, right?

That buy-sell agreement actually predetermines how the payout from the life insurance policy will be used in order to pay the family of the deceased, pay whatever is necessary to acquire those patents, and whatever else. That combination of the key person life and the buy-sell agreement is what creates the ultimate risk protection for that business. Going back to fundraising, some sophisticated venture capital companies or investors when there is a company like this that has a key person that has specific value, they'll ask for a key person life policy.

Trae: Makes good sense. As you were talking about the risk assessment and, actually, as you were describing the EPL, it occurred to me, there's been some past headlines that were culture-based and you're assessing the risk. Is it startup flying? Are they flying fast and free or do they have processes and training? Is that something you look at as you're going in each case and I guess designing and recommending an EPL package?

Beau: Yes, it's a good question, Trae. Some businesses I can tell pretty early on are very strong candidates for EPL coverage, some aren't. Some don't really seem to have much of a risk. The short answer there is young startup technology companies that are moving at a high pace and there's a lot of potential turnover or rapid growth and then reduction in staff. Those types of companies should take EPL coverage very seriously. As I mentioned, there are really two components. There's first-party coverage on EPL policies, which would be employee-based claims; and then third-party coverage, which is the outside world suing the business.

To build on your question a little bit, in today's world over the past few years with some of the social movements, things like the Me Too movement, Black Lives Matter movement, things like that, there's a lot more of an exposure for things like discrimination and harassment that companies need to take very seriously. That's a conversation I have with all of my clients regardless of their size or how they operate their business or manage their workforce. That third-party EPL exposure is important to consider.

Ryan: Beau, you touched on cyber security, but I know recently even with my own interactions with you as you are our provider of insurance for my company, this has become a topic, cyber security. We see it in the news all the time. I know just yesterday, we heard where there was a situation with a mobile carrier having about 40 million users' information exposed. Maybe talk a little bit more about cyber security and how it's really become a must-have for companies these days.

Beau: Yes, I'm really glad you brought it up. In my day-to-day life as an insurance broker, I am fielding calls and inquiries about cyber liability multiple times a day. I think part of that is because we are all seeing it on the news, in the press, companies that we all know. Major brand names are suffering cyber attacks. This is a hot button. This is something that every business should be considering. What's interesting to me is, five years ago, not many companies bought this type of insurance.

It wasn't on companies' radars. Insurance brokers like myself were learning about it and talking about it and selling some of it, but not every company was buying it. There weren't a lot of major claims that were taking place. That has all changed. The entire cyber liability marketplace has been flipped on its head. Part of that is the results, the impact of these claims that have taken place, both the severity and the number of claims of cyber attacks that have taken place.

Also, just the insurance underwriting community and cyber liability had to completely reassess what they're offering from a coverage standpoint and how they're pricing these types of policies. Again, touching on what this insurance protects you for, if you're on the internet like we all are during COVID, engaging online in video conferences, sending emails back and forth, any online activity like that makes you susceptible to a cyber breach.

The damage can be multi-faceted. Your network as a business could be damaged or be shut down. Your computer systems, the hardware itself could be damaged. Your reputation as a business could be harmed. It could jeopardize people doing business with you going forward if they're unsure about your security measures, and then all the people who you have information on, personally identifiable information.

If their information is stolen, then they're susceptible to damages too. A lot of protection is necessary. Again, unlike other types of insurance where there are things like a funding round that triggers coverage or the first day you start generating revenue or payroll, cyber liability is agnostic as far as what triggers it. Every business should be thinking about it and I'm having those conversations every day.

Ryan: It's interesting. It's not just that I have 40 million user records. It doesn't have to be that. If I'm a startup and I'm thinking, "Geez, I don't keep any user data. I'm fine," what is the exposure for maybe even like a pre-revenue company? You used a great example about just interacting online with co-workers. When should they start thinking about this?

Beau: If you have employees, you hold your employee records. Right there, that's not only personally identifiable information but, in some cases, financial information and other sensitive information, right? Even if you don't have any customers but you hold that type of information, you have an exposure. You may have heard the term "ransomware" before or what's called "cybercrime."

One of the more common hacks that are taking place right now is where somebody infiltrates your network, recreates an email address to make it look like it's someone internal, say one of your employees, and they start a dialogue via email internally. At some point during that dialogue, they'll say, "Send me a check for this amount of money. We missed this" or "I need to make an adjustment to our banking profile. Would you mind passing along the account number?"

Trae: Your password.

Beau: Right, your password. In that scenario, your corporate bank account is susceptible to a breach, right? You don't have revenue yet, but you just brought in funding. You may not have any customers yet, but you're still vulnerable to that type of a breach. Unfortunately, cyber liability is something that companies should be thinking of right out of the gates.

Ryan: It's interesting. It's not just the headlines we see where 100 million user data is stolen because even us, a small, little company, we'll see emails where it pretends to be somebody working and say, "Hey, quick, I need you to get back to me immediately. I need to issue this wire," and we're like, "It's not--"

Beau: Or, "Just click this link and your problems will go away," right.

Ryan: That's interesting. In my mind, I've always thought of it tied to holding customer data and that data being stolen. You have an exposure to the fact that all those customer data is now out there, but it even goes way before that.

Beau: It does. The good news is that if you have a lower risk profile, the pricing will reflect that. Should you buy the insurance? Yes, you absolutely should or at least be educated about what it offers you and go through the quoting process. See what the cost would be. If you are pre-revenue, you don't have customers, you really only have access to your employee information, let's say, you do have security measures in place, then the insurance probably won't be very expensive for you, but you should still consider it. I would agree.

Then those customers, the clients of yours that you mentioned that do hold big chunks of data, in some cases, sensitive information, companies that are engaging in the healthcare space, the financial industry, those businesses are going to be on the other end of the spectrum from an underwriting perspective and a pricing perspective. I think that reflects the risk profile of that business.

Ryan: Beau, let me ask a question about-- again, thinking about the companies we work with, there's a progression that we often take our clients through, which is going from pre-revenue to revenue. What are some of the major changes or exposures that you see that a company should be thinking about as they make that big move to a revenue-producing company?

Beau: I would say the biggest change from a risk exposure standpoint when you go from pre-revenue to revenue is the consideration to purchase E&O insurance, errors and emissions. Again, E&O coverage is going to protect you in the event that someone that you're working with or working for sues you, alleging some type of a financial loss. Usually, as soon as you start generating revenue, you have customers you're interacting with new business, existing clients.

You're often running as far as providing the service you provide or the technology, the software, whatever it is, and your exposure starts going up. If a company at that stage does not have E&O insurance, they should be considering it and putting it in place in most cases. Other than that, really, if the other types of insurance have been put in place, as you start generating revenue, you just want to make sure you level-set your limits of coverage.

Start bumping up your limits to be appropriate for the amount of exposure you have as you continue to grow as a business. There isn't a formula that dictates how much coverage you should buy based on the revenue you generate. My clients are always asking me what their peers are doing to provide them with some type of benchmark information, showing what other companies of a similar profile are buying from a limit perspective.

Luckily, we write a lot of insurance, right? We work in a lot of startup companies. Technology companies can answer that question pretty easily. I think that's how it goes with technology companies in general. They always want to know what others are doing. With that information, they can decide what types of insurance, what limits of coverage they should have. That's been helpful guidance that I've been able to offer my clients.

Ryan: How often do you suggest a company reassesses their coverage? It's not a one-and-done, I'm assuming, right? It's an evolving equation, I imagine.

Beau: Yes, so at the bare minimum, I like to speak with my clients twice a year, every six months. Once a year is going to be to discuss the renewals. These policies are 12-month policies. Renewal underwriting usually starts nine months before the renewal date. That would be a good time to discuss what is currently enforced, how the business is doing, what changes have happened, and if we need to go through that level-set process on coverage limits or types of insurance. The six-month mark is more for me.

I want to know what the company is up to, if there've been any changes in the business operations, a new line of product offering, M&A discussions, if they've been in touch with any other smaller businesses, they're looking to acquire or have been engaged by larger companies. Any event like that or any kind of pivot in the type of work they're doing or the trajectory of the business would be a good time to meet with your insurance broker and discuss if things should change or remain the same.

Trae: Well, we learned a lot about insurance, Beau. Friends, family, weekends, what do you do for fun? A little bit about Beau before we wrap up.

Beau: Yes, no, thanks for asking. Married, I have two kids, 10 and 8, and a dog who's sitting right here. He's 12.

Trae: Good dog.

Beau: A lot of family time outdoors. I love the outdoors. I'm an avid mountain biker, a windsurfer. I coached local teams for my kids. Any chance we get, we're really outside taking advantage of living here in the Bay Area.

Ryan: It's nice. That's awesome.

Trae: Thanks for joining. Thanks, Ryan. Thanks, Beau.

Ryan: Beau, thanks. Really enjoyed it. I've enjoyed our 15 years and, yes, more collaboration. I always look forward to it. Thanks, Trae.

Beau: Thank you, Ryan. Thank you, Trae.