Picking the Best Insurance for your Fintech Startup
Fintech saw daily active users increase by 337% in 2021—and the explosive growth looks set to continue. Here we explore which insurance coverage can best benefit startups in this dynamic space, plus some best practices to minimize risks and possibly lower rates.
Is fintech more complicated, regulated, and litigious than other types of startups?
It depends! Fintechs that act as banks—holding money—have greater regulatory liability than companies that, say, supply financial-modeling or enterprise software. Any time you’re doing currency transactions, you’re open to deeper scrutiny from the Securities and Exchange Commission, Consumer Financial Protection Bureau, and other agencies. Compliance can be costly and experts predict it will get more intensive as changes trickle down from 2020’s Anti-Money Laundering Act.
If you run afoul of regulations, brace for investigations, which can create serious sticker shock. You’ll need to pull people away from their day jobs to answer inquiries, and probably retain outside consultants or counsel to help prepare. And it can cost $7–10 per breached record for forensic analysis alone!
At the end, should you be found in violation, the fines can be substantial. For example, the Office of the Comptroller of the Currency levied an $80 million penalty against Capital One for a 2019 breach. (A hacker accessed over 100 million customers’ records via Amazon Web Services. The cloud-computing platform’s former engineer now faces up to 20 years in prison for her alleged role in the breach.)
What unique risks do fintech founders face?
Any time a tech company has users—and you’re holding their information to operate your business—you face regulatory challenges. Fintech just heightens that exposure, as you may be collecting data beyond names and emails. For example, you could be storing Social Security numbers, physical addresses, and revealing details about financial accounts and specific transactions. And that treasure trove can make your startup very appealing to cyberattackers.
So be a good steward of that information. More data is not better in this case. Collect only what you need, because if you suffer a breach, every single element that’s lost can be expensive.
Next, make sure you’re protecting that material: get buy-in across your organization. Make sure all the information is encrypted, even when it’s not in use, as well as when it’s being transmitted.
Also, think about decentralizing your storage, so if hackers breach your security, they don’t get customers’ entire records. Split the information up into different databases that each have their own security. You might have someone’s name in one, their Social Security number in another, and their passport number in a third. Then, if cyberattackers get into one silo, the information’s essentially useless. And this also creates a more hardened surface that’s more difficult to crack in the first place.
Finally, have a formal disaster-recovery plan, written out and tested at least once a year. It’s kind of like war games—run simulations: If this happens, we’ll put this protocol in place. If that happens, here’s how we’ll respond.
Fintech companies inherently have a lot of risks. But if insurance underwriters see a strong security-first philosophy in action, you’re more likely to access coverage and get it for a better rate.
What coverage should fintech founders be considering?
Cyberattacks are the top driver of claims in this space. In 2010, hackers created 662 data breaches; a decade later that number had risen to over 1,000, leaking over 156 million records. Most recently, they’ve been gaining control of people’s computers via a common activity-tracker in the Java programming language. This Log4j vulnerability could potentially infect billions of machines, including ones made by Amazon and Apple. Companies—especially fintechs—are scrambling to deploy additional security to contain the criminals on infected hardware and prevent them from accessing entire networks.
Cyber coverage pays the costs of any lawsuits that arise and also helps breach victims recover. Additionally, Directors and Officers (D&O) Insurance can help protect your C-suite team and board members from becoming targets, should the worst happen.
If you’re offering any kind of advice, consider Errors and Omissions (E&O) Insurance, aka “professional liability insurance.” This provides a safety net if customers claim that an error, poor advice—or, for example, a platform outage—created a financial loss. E&O can cover legal costs, regardless of whether a lawsuit finds you responsible or not.
Risks rise for fintechs that are fiduciaries—acting on behalf of customers—or those safeguarding economic assets like benefit or retirement plans. Fiduciary Liability Insurance can mitigate risk exposures.
That’s not to say other types of coverage won’t be useful, of course. A fintech company needs property insurance just as much as any startup. But their cyber risks can be far above average and worth addressing proactively.
Increasing ransomware attacks have driven fintech insurance pricing up 15 to 50%. Can founders and CEOs do anything to lower costs?
First, work with a partner like Vouch that really knows cyber insurance, especially for fintechs. They’ll be well versed in what the real exposures are and how they can be mitigated. And they’ll probably have a more nuanced understanding of how to price that risk.
Second, get out in front of your renewal. Don’t begin two weeks before your current coverage expires. Mindful companies start the process around three months out to leave time for negotiation and scrutiny of the cyber security controls in place. And the higher the limit—the maximum amount an insurance company will pay for a covered claim—the more time all this is likely to take.
Some controls will be required by regulations, others by your customer base and vendors. And you may want to audit for Sarbanes-Oxley Act (SOX) compliance—this law aims to improve financial disclosures from corporations and prevent accounting fraud. It’s not required, but if you have this certification and the good data-hygiene habits mentioned above, they’re excellent indicators that you have your house in order, which can lower costs.
Sometimes, insurers will quote a price that’s “binding with conditions,” i.e., that the startup implements certain recommendations. If they’re not met within the timeframe, companies might face increased premiums or rates—or be asked to look elsewhere when it’s time for renewal.
Why is Vouch a good pick for fintech insurance?
Our co-founders—Sam Hodges and Travis Hedge—experienced the frustrations of needing coverage before traditional companies were comfortable underwriting it. They believed the process should be easier and that venture-backed tech startups deserved tailored offerings with decisions in minutes, not weeks.
As a fintech itself, Vouch also has a more nuanced view of its fellow fintechs. Most U.S. insurance companies rely on the North American Industry Classification System (NAICS) to categorize companies and assess their risks. But they’re not terribly accurate when it comes to tech companies. These broad groups could lump the budget-tracker Mint in with something like Robinhood, an investment app that holds users’ funds. Whereas Vouch has around 80 niche codes, so we can make granular distinctions between different levels of risk. And we’re also excellent at spotting data elements that can anticipate loss, unlike more traditional insurance companies, which rely on historical data that’s still scarce for the fast-moving world of fintech.
Finally, we take a partner approach that goes beyond the usual insurer-and-insurance-buyer relationship. Vouch wants to be a true partner in risk management and keep our clients growing right alongside us.