Our reliance on computer technology products and services increases every day. Not surprisingly, the number of technology companies has similarly grown over time.
Less obviously, businesses operating in more traditional sectors are beginning to offer technology services and products ancillary to their core business. This expansion creates technology-related exposures that may not be covered under an organization’s existing insurance policies.
Technology errors and omissions (tech E&O) coverage can help organizations manage these risks.
What is tech E&O insurance?
Tech E&O insurance covers damages, legal fees and other ancillary costs resulting from third-party claims alleging the failure — in other words, error or omission — of an organization’s technology product and/or services. A good example of a technology services claim would be one where a technology vendor negligently migrates data from an old system to a new one and damages or destroys the data.
Tech E&O insurers define the scope of coverage for technology services and products utilizing two different approaches:
The first, and most common, approach is to include specific definitions in the policy. “Technology products” typically include computer hardware and software and telecommunications equipment. “Technology services” are generally defined as services related to the use of technology products, information technology and security, including data security, maintenance, repair, support, training, data storage, data processing and related consulting.
The second method is for a policy to list the services and products that a company provides.
It is not unusual for policies to take a hybrid approach. Both approaches have advantages and disadvantages, so it is important for a policyholder to work with its broker to ensure its policy language matches the exposures it wishes to address.
Tech E&O policies can be, and often are, customized to reflect the products and services an insured organization offers. It is essential to ensure that the scope of coverage includes all of an organization’s technology products and services.
Hidden risks
If you have read this far and decided that your organization does not need tech E&O insurance because it isn’t providing technology products or services, you should carefully consider technology exposures that may be hiding in plain sight. This could be especially important if an organization’s contracts contain insurance requirements that would extend to those exposures.
For example, a large regional hospital may provide IT infrastructure to smaller, local clinics for a fee. If the services offered by the regional hospital are deficient or are interrupted, the hospital may have a tech E&O exposure. And because this less significant revenue source is not part of its core healthcare business, it’s very possible it does not receive the same attention from a risk assessment viewpoint and may not be covered under anything other than a tech E&O policy.
Engineering firms also often expand their service offerings into areas with tech E&O exposure that fall outside traditional engineering services. Take, for example, a civil engineering firm offering land survey services to real estate developers. As an enhancement to its traditional services, the firm sells access to a software application capable of providing developers with customized designs and reports that adjust in real time based on continuously updated survey data.
If a deficiency in the application’s programing leads to the output of inaccurate designs and/or reports — meaning the product sold by the firm fails to perform its intended purpose — and the developer suffers financial harm as a result, the developer would likely seek damages from the engineering firm. This may fall outside the bounds of an architects and engineers E&O policy, but could be covered by a tech E&O policy.
Using a website to conduct business transactions is another good example of an unseen technology exposure. If a business uses its site to make sales, schedule work, communicate with customers or carry out any other function related to the business with customers, any errors in the configuration or operation of the site that damage customers could give rise to a claim that would only be covered under a tech E&O policy.
The same is true for organizations that make mobile apps available. If an organization’s application is poorly written and doesn’t function, or perhaps even damages or destroys the data stored on mobile devices, there is a good chance the business would need tech E&O insurance to cover the resulting liability.
It should be noted that tech E&O insurers are not uniform in their willingness to cover all potential technology risks. Depending on the nature of the company and its business coverage for certain risks may be difficult to find.
Tech E&O vs. cyber
Tech E&O coverage should not be confused with cyber liability coverage.
Many companies structure their coverage so that tech E&O and cyber coverages are in one policy. But it’s important to recognize that the tech E&O portion of such a policy covers the liability arising from a company’s failure to provide professional services and/or products. The cyber portion addresses losses such as ransom payments, restoration of the policyholder’s computer system and business interruption as well as liability for privacy and system security violations.
This differentiation between the two products is particularly important for organizations that would not be considered to be technology companies but nevertheless offer technology products or services. It’s not unheard of for an organization to mistakenly believe that a cyber policy covering many types of computer-related exposures sufficiently addresses exposures related to technology products and services.
Purchasing a tech E&O policy may seem unnecessary to an organization more heavily focused on revenue sources other than technology products or services. However, the exposures those incidental revenue sources create may make the coverage a necessary part of an organization’s risk management program.
Insureds’ obligations
Like all other policies, tech E&O policyholders have obligations to fulfill to enjoy their full benefit.
Nearly all tech E&O policies are written on claims-made forms that require policyholders to report claims as soon as practicable and before the policy period expires. This is true even if the insured is entitled to be indemnified by a third party. “Claim” is typically defined as a written demand for monetary or non-monetary relief, commencement of a legal action or an alternative dispute proceeding, and a request to toll the statute of limitations.
Coverage for defense costs will only begin after a policyholder formally notifies its insurer as required by a policy’s notice provisions. A policyholder is required to coordinate the appointment of defense counsel with the insurer, particularly in cases where a policy gives the insurer the duty to defend claims. Under such policies, insurers frequently have the absolute right to select and appoint defense counsel.
Throughout the claims process, a policyholder and defense counsel will be obligated to provide updates on developments related to the claim, especially unexpected developments and settlement opportunities. Insureds should remember that tech E&O policies — like all E&O policies — require the insurer’s prior consent to incur any expense or to make any settlement offers. This includes providing the carrier with adequate notice before agreeing to participate in a mediation dictated by contractual obligation. Without receiving the carrier’s consent, the policyholder may not receive policy proceeds to settle the claim.
The greater integration of, and reliance on, computer technology by businesses today has increased the number of technology exposures businesses face. While some of these exposures are obvious, many are not. It is essential to consider all potential exposures, and secure appropriate insurance coverage consistent with a business’s risk appetite and contractual requirements.
For more on tech E&O coverage, contact your Lockton advisor or email cyber@lockton.com (opens a new window).