Financial Strategy

Module 42 — Insurance for CFOs

Corporate insurance programs, Directors and Officers liability, professional indemnity, cyber insurance, business interruption — what CFOs must understand to manage corporate risk transfer effectively.

Learning Objectives

  • Design a comprehensive corporate insurance program for a multi-entity group
  • Understand D&O insurance coverage, exclusions, and personal protection implications
  • Evaluate cyber insurance policies in the context of AI and FinTech operations
  • Account for insurance recoveries under IAS 37
  • Manage insurance renewals and claims processes as a CFO

1. Corporate Insurance Framework

Risk Transfer vs Risk Retention

Insurance is one of four risk responses (from ERM framework): avoid, reduce, transfer, or accept.

Insurance (transfer) makes sense when:

  • Potential loss is large relative to the company's capital base
  • The probability of loss is low but impact is catastrophic
  • Regulatory or contractual requirements mandate coverage
  • Third-party risk (customer liability, employee injury) is material

Self-insurance (retention) makes sense when:

  • Loss frequency is high and predictable — premium will equal expected losses plus insurer profit
  • Company is large enough to absorb volatility
  • No coverage available at economic price (e.g., war risk in some markets)

Captive Insurance

A captive is a wholly-owned insurance subsidiary that underwrites the parent group's risks:

  • Large groups (typically USD 5bn+ revenue) use captives for property, liability, workers' comp
  • Captive insures group entities; buys reinsurance for catastrophic layers
  • Tax-efficient in some jurisdictions (Isle of Man, Bermuda, Cayman)
  • CFO benefit: Returns underwriting profit to the group; customizes coverage; improves risk discipline

Pakistan Insurance Market

CategoryKey InsurersCFO Use
Life insuranceState Life, Jubilee Life, EFU LifeEmployee group life, key man insurance
General (non-life)Jubilee General, EFU General, Adamjee, IGIProperty, liability, marine, motor
ReinsuranceLocal reinsurers + Lloyd's of London marketsFor large commercial risks exceeding local capacity

Pakistan insurance market challenges: Low penetration, limited catastrophe capacity, slow claims settlement — CFOs of large companies should structure international reinsurance programs through London/Dubai markets for large risk.


2. Directors and Officers (D&O) Insurance

Three Insuring Agreements

AgreementCoverageWho Pays
Side AIndividual director/officer when company cannot indemnifyInsurer pays individual directly
Side BCompany reimbursed for indemnifying director/officerInsurer reimburses company
Side C (Entity coverage)Company itself for securities claimsInsurer pays company

Side A is most important for CFOs: Protects you personally when the company is insolvent (cannot indemnify) or when indemnification is prohibited by law or court order.

What D&O Covers

  • Securities claims: shareholders alleging misleading financial statements
  • Regulatory investigations: SECP enforcement actions against directors
  • Employment claims: wrongful dismissal, discrimination (if CFO is defendant)
  • Competition law: price-fixing investigations
  • Tax authority actions: personal tax liability of directors in some jurisdictions

Key Exclusions

  • Fraud: Deliberate fraudulent acts — once proven, coverage ceases
  • Criminal acts: Fines and penalties are never insurable (public policy)
  • Known wrongdoing: Acts the insured knew were wrongful at the time — not covered
  • Insured vs insured: Disputes between directors (company suing its own officers)
  • Prior claims: Events known before the policy inception date

CFO D&O Negotiation Checklist

Before accepting a CFO role, confirm:

  1. Policy limit: minimum USD 10M for a PKR 10bn+ listed company; USD 25M+ for significant entity
  2. Run-off cover: 6 years of coverage for acts committed during your tenure, even after you leave
  3. Side A DIC (Difference in Conditions): additional personal protection layer if Side B/C limit is exhausted
  4. Retention (deductible): CFO should have zero personal retention on Side A claims
  5. Definition of "wrongful act": ensure it is broad and includes negligent acts, not just deliberate

3. Professional Indemnity (PI) Insurance

When PI Insurance is Required

PI (also called Errors & Omissions in some markets) covers claims from third parties for:

  • Professional negligence
  • Errors in professional advice or services
  • Failure to provide contracted professional services

BIQAI Group PI exposure:

  • FERROQUANT Capital: investment advisory services — liable for negligent investment advice
  • AuditIQ: audit/assurance services — liable for negligent audit opinions
  • LLM Agent Systems: AI services — liable if AI output causes client financial loss

Claims-Made vs Occurrence Policies

  • Claims-made: Coverage triggers when the claim is made (not when the negligence occurred). Must maintain coverage continuously to protect past acts.
  • Occurrence: Coverage triggers when the negligent act occurred. More favorable for the insured but rarer for PI.

CFO action: When switching PI insurers, ensure the new policy has a retroactive date going back to when the company started providing the service — otherwise there is a coverage gap for older acts.

PI vs D&O — Key Distinction

  • PI: covers claims from clients/customers about professional services
  • D&O: covers claims from shareholders/regulators about management decisions
  • A financial misstatement could trigger both a D&O claim (from shareholders) and a PI claim (from investors who relied on the statements in a fund prospectus)

4. Cyber Insurance

First-Party Cyber Coverage

Protects the company for its own losses from a cyber incident:

  • Business interruption: Revenue loss during system downtime
  • Data recovery: Cost to restore corrupted or encrypted data
  • Extortion: Ransom payments to release encrypted systems (check local law before paying)
  • Crisis management: PR/legal costs to manage the incident
  • Regulatory fines: Where insurable (varies by jurisdiction)

Third-Party Cyber Coverage (Liability)

Protects the company from claims by affected parties:

  • Privacy liability: Customer data breach claims
  • Network security liability: Failure to prevent a cyber attack that spreads to a third party's systems
  • Media liability: Copyright infringement, defamation in digital content

AI-Specific Cyber Risks

LLM Agent Systems and AI-heavy operations face unique risks:

  • Model poisoning: Adversarial inputs corrupting AI model outputs
  • Prompt injection: Malicious instructions embedded in AI inputs — causes AI to produce harmful outputs
  • AI-generated fraud: Deepfake voices/videos used to authorize fraudulent payments
  • Hallucination liability: AI outputs used in financial decisions; hallucinated "facts" cause financial loss

Specialist cyber underwriters (Coalition, Cowbell, AXA XL) offer policies with AI-specific coverage language — read carefully to ensure AI operations are covered.

Pre-Binding Cybersecurity Requirements

Insurers now require minimum cybersecurity controls before binding coverage:

  • Multi-factor authentication (MFA) on all remote access
  • Endpoint detection and response (EDR) on all devices
  • Offline backups — not connected to main network
  • Privileged access management (PAM)
  • Email security (SPF, DKIM, DMARC)

If your company lacks these controls, you will either be declined coverage or pay materially higher premiums.


5. Business Interruption (BI) Insurance

BI Indemnity Period

BI coverage pays for lost profit during a specified indemnity period after an insured physical damage event:

  • Typically 12–24 months
  • Choose based on how long it would take to fully restore operations after a catastrophic loss

Gross Profit vs Revenue Basis

  • Gross profit basis: Insures profit that would have been earned minus saved variable costs. Most appropriate for most businesses.
  • Revenue basis: Insures total revenue lost. Can over-insure if variable costs are saved.

Contingent BI — Supply Chain and Key Customer

Standard BI covers interruption to your own facilities. Contingent BI covers:

  • Supplier interruption: Key supplier's facility damaged, affecting your supply
  • Customer interruption: Key customer's facility damaged, reducing their demand from you
  • Critical infrastructure: Utility provider failure (electricity, gas, water, internet)

Pakistan-Specific BI Risks

  • Power outages: Loadshedding is endemic; standard BI excludes utility failure — require extension
  • Political violence: Civil unrest (PECA, strikes) requires political violence extension
  • Flood: Pakistan floods (2022 displaced 33M people) — ensure flood is covered; many policies exclude
  • Cyber-caused BI: Require specific extension — standard BI does not cover cyber-induced shutdowns

6. Insurance Accounting (IAS 37 and IFRS 4)

Insurance Premium Accounting

Insurance premiums are prepaid expenses:

  • Pay annual premium → Debit: prepaid expenses; Credit: cash
  • Monthly amortization → Debit: insurance expense; Credit: prepaid expenses

Insurance Recovery Recognition (IAS 37.53)

A reimbursement from an insurer for a loss is recognized only when virtually certain:

  • File a claim: do NOT recognize recovery at claim submission
  • Insurer acknowledges liability: still may not be virtually certain
  • Insurer agrees specific amount to pay: now virtually certain — recognize receivable

Critical point: The provision for the loss (under IAS 37) is recognized immediately when the obligation is constructive/legal and probable. The insurance recovery is recognized separately only when virtually certain. Do not net; do not offset.


Self-Assessment

  1. BIQAI Group has the following entities: a listed Pakistani manufacturing company (PKR 15bn revenue), FERROQUANT Capital (investment management), AuditIQ (audit services), and LLM Agent Systems (AI services). Design a corporate insurance program: identify the five key policies required, the coverage amount for each, and the key coverage terms to negotiate.

  2. You have just agreed to join as CFO of a listed Pakistani company. The HR team sends you the standard D&O policy. Review the key terms and identify: (a) whether Side A DIC is included, (b) whether run-off coverage is provided for 6 years post-departure, (c) whether the retroactive date covers prior periods, and (d) what questions you would ask about the retention (deductible).

  3. Your company's main factory experiences a fire. The fire damage is PKR 200M (property insurance claim filed). Business interruption loss during the rebuilding period is estimated at PKR 80M over 9 months. The insurer acknowledges the property claim but has not yet agreed to the BI amount. What accounting entries do you make in the period-end financial statements?