Before investing in an insurtech company, it is important to conduct due diligence on the target business to confirm valuation and identify any material problems. While there are many due diligence approaches, focusing first on evaluating key value drivers, regulatory risks, and potential intellectual property (IP) and data privacy issues can lead to a more efficient and cost-effective due diligence exercise. Below are some key legal considerations that may apply.
Corporate Governance and Material Contracts
Analyze the insurtech’s organizational documents, agreements with investors (equity and debt), and employees to determine how the insurtech is governed, and whether any required consents, special rights, special payouts or other contingencies would become payable or otherwise triggered due to the proposed transaction. For example:
- How much influence will the investor have on the insurtech’s board of directors, and will the investor in its capacity as a shareholder have the ability to veto certain actions proposed by the insurtech?
- If the investor will not have majority voting power, what protections exist in the organizational and investor documents to ensure that the investor is not disproportionately impacted by future equity issuances (which could lead to dilution of the investor’s ownership interest) or change of control events?
Review the insurtech’s material contracts with customers, suppliers, service providers, and other business partners to determine any unusual terms or any conditions that could restrict or otherwise impact the proposed transaction or the continuation (or termination, as desirable) of these contracts after the transaction closes.
Employees and Benefits
Identify key employees needed for the business to grow in the short or long term and evaluate the insurtech’s management and employee incentive and benefit plans (financial or otherwise) to retain top performers.
Some insurtechs have needed to rapidly expand their employee base which can sometimes lead to gaps in documentation involving understandings with employees and issues with labor law and employee benefit plan legal compliance.
Intellectual Property and Technology
Analyze whether the insurtech has sufficient ownership or licensing rights in key IP for its business, including whether employees have assigned IP inventions to the insurtech, and whether any IP rights are encumbered (e.g., by lenders who have security interests in pledged IP rights) or subject to disputes.
Understand how the insurtech uses open sources and deals with any similar related licensing conditions in its software code.
If the investor plans to use the insurtech’s technology in its own operations, consider if there are any issues implementing the insurtech’s new technology under the investor’s legacy IT systems, and whether implementing new technologies—such as artificial intelligence (AI)—could create regulatory risk for the larger enterprise.
Data Ownership, Usage, Privacy and Cybersecurity
If the insurtech collects any data from customers or employees (especially across borders), and the investor wants to use that data, learn what data and privacy laws and restrictions apply to the data. Then, considering the laws and restrictions, review the insurtech’s privacy and information security policies (and compliance with those policies) as well as relevant contracts/terms and conditions.
- For instance, certain contract provisions preserve an insurtech’s rights to data, while others could leak data rights to third parties (e.g., outsourcers or cloud providers). Examples of the latter: “we may use data that you provide to use to improve our services and for other business purposes” or “you agree to provide us copies of any data that you possess regarding…”
- Applicable policies, laws and contract terms will also impact the insurtech’s ability to lawfully transfer/disclose personal data to the investor.
Evaluate the insurtech’s guardrails against cyber risk, especially if the insurtech has valuable data or digital assets, or if the investor’s software or data will be integrated, allowing the insurtech’s vulnerabilities to cyber risk to become the investor’s vulnerabilities.
- Inquire about the insurtech’s past cyber breach incidents and any internal testing of its cybersecurity program (such as penetration testing and vulnerability assessments), as well as the location and methods for data storage.
Insurance Regulatory Considerations
Insurance Licensing
Analyze whether the insurtech holds and has maintained appropriate licenses, registrations or authorizations considering its business model (e.g., MGA/MGU structure) and practices. For example:
- Insurance producer licenses are required to “sell, solicit, or negotiate” insurance.
- It must be clear who (i.e., the licensee) is offering and selling the insurance.
- White labeling/co-branding arrangements require careful use of licensee name and disclosures.
- Review compensation arrangements—receiving commissions based on insurance sales in connection with the sale, solicitation, or negotiation of insurance requires a license.
- Customer service and claims handling roles may require licenses depending on the scope of activities and jurisdictions involved.
Product Review
If relevant to the insurtech’s activities, review products and coverages offered for insurance regulatory compliance. For example, if a product is an admitted product, verify that the product is being issued by an authorized insurer and has been filed and approved, as needed, with state insurance regulators. If a product is a surplus lines product, identify and evaluate who is performing surplus lines compliance activities.
Market Conduct Issues
Review the insurtech’s customer complaint history, as well as any communications with insurance regulators outside the ordinary course of business. Analyze current business practices for market conduct issues.
- Frequent customer complaints to a state insurance department could result in the insurance department starting an investigation and ultimately taking regulatory action against the insurtech.
- Inquiries from state insurance departments could identify market conduct issues to be resolved by the insurtech.
- Past enforcement actions against the insurtech increase the likelihood that a state insurance department could take more severe action (e.g., higher penalties, suspension or revocation of the license) if past market conduct issues have not been resolved.
- Review the insurtech’s current business practices for market conduct activities that often lead to regulatory enforcement (e.g., rebating).
Compliance Policies and Procedures
Analyze whether the insurtech has compliance policies and procedures (e.g., fraud prevention, sanctions, anti-money laundering) in place, and evaluate whether they are implemented (e.g., regular compliance trainings, periodic audits).
Regulatory Issues – Control
Review the insurtech’s arrangements with vendors and distributors. Even when insurance licensees outsource operations to third parties, the licensees remain legally responsible for meeting their statutory, regulatory and contractual obligations as well as their obligations to customers. State insurance departments will pursue licensees for activities of third parties. For example, licensees are responsible for ensuring that third-party service providers have adequate cybersecurity protections in place.
AI/ML and Unfair Discrimination
Evaluate any use of AI, machine learning (ML), or other advanced data analytic tools to process data considering anti-discrimination laws. (See our discussion of key considerations regarding the use AI/ML.)