Module 42 — Insurance for CFOs
Corporate insurance programs, Directors and Officers liability, professional indemnity, cyber insurance, business interruption — what CFOs must understand to manage corporate risk transfer effectively.
Learning Objectives
- Design a comprehensive corporate insurance program for a multi-entity group
- Understand D&O insurance coverage, exclusions, and personal protection implications
- Evaluate cyber insurance policies in the context of AI and FinTech operations
- Account for insurance recoveries under IAS 37
- Manage insurance renewals and claims processes as a CFO
1. Corporate Insurance Framework
Risk Transfer vs Risk Retention
Insurance is one of four risk responses (from ERM framework): avoid, reduce, transfer, or accept.
Insurance (transfer) makes sense when:
- Potential loss is large relative to the company's capital base
- The probability of loss is low but impact is catastrophic
- Regulatory or contractual requirements mandate coverage
- Third-party risk (customer liability, employee injury) is material
Self-insurance (retention) makes sense when:
- Loss frequency is high and predictable — premium will equal expected losses plus insurer profit
- Company is large enough to absorb volatility
- No coverage available at economic price (e.g., war risk in some markets)
Captive Insurance
A captive is a wholly-owned insurance subsidiary that underwrites the parent group's risks:
- Large groups (typically USD 5bn+ revenue) use captives for property, liability, workers' comp
- Captive insures group entities; buys reinsurance for catastrophic layers
- Tax-efficient in some jurisdictions (Isle of Man, Bermuda, Cayman)
- CFO benefit: Returns underwriting profit to the group; customizes coverage; improves risk discipline
Pakistan Insurance Market
| Category | Key Insurers | CFO Use |
|---|---|---|
| Life insurance | State Life, Jubilee Life, EFU Life | Employee group life, key man insurance |
| General (non-life) | Jubilee General, EFU General, Adamjee, IGI | Property, liability, marine, motor |
| Reinsurance | Local reinsurers + Lloyd's of London markets | For large commercial risks exceeding local capacity |
Pakistan insurance market challenges: Low penetration, limited catastrophe capacity, slow claims settlement — CFOs of large companies should structure international reinsurance programs through London/Dubai markets for large risk.
2. Directors and Officers (D&O) Insurance
Three Insuring Agreements
| Agreement | Coverage | Who Pays |
|---|---|---|
| Side A | Individual director/officer when company cannot indemnify | Insurer pays individual directly |
| Side B | Company reimbursed for indemnifying director/officer | Insurer reimburses company |
| Side C (Entity coverage) | Company itself for securities claims | Insurer pays company |
Side A is most important for CFOs: Protects you personally when the company is insolvent (cannot indemnify) or when indemnification is prohibited by law or court order.
What D&O Covers
- Securities claims: shareholders alleging misleading financial statements
- Regulatory investigations: SECP enforcement actions against directors
- Employment claims: wrongful dismissal, discrimination (if CFO is defendant)
- Competition law: price-fixing investigations
- Tax authority actions: personal tax liability of directors in some jurisdictions
Key Exclusions
- Fraud: Deliberate fraudulent acts — once proven, coverage ceases
- Criminal acts: Fines and penalties are never insurable (public policy)
- Known wrongdoing: Acts the insured knew were wrongful at the time — not covered
- Insured vs insured: Disputes between directors (company suing its own officers)
- Prior claims: Events known before the policy inception date
CFO D&O Negotiation Checklist
Before accepting a CFO role, confirm:
- Policy limit: minimum USD 10M for a PKR 10bn+ listed company; USD 25M+ for significant entity
- Run-off cover: 6 years of coverage for acts committed during your tenure, even after you leave
- Side A DIC (Difference in Conditions): additional personal protection layer if Side B/C limit is exhausted
- Retention (deductible): CFO should have zero personal retention on Side A claims
- Definition of "wrongful act": ensure it is broad and includes negligent acts, not just deliberate
3. Professional Indemnity (PI) Insurance
When PI Insurance is Required
PI (also called Errors & Omissions in some markets) covers claims from third parties for:
- Professional negligence
- Errors in professional advice or services
- Failure to provide contracted professional services
BIQAI Group PI exposure:
- FERROQUANT Capital: investment advisory services — liable for negligent investment advice
- AuditIQ: audit/assurance services — liable for negligent audit opinions
- LLM Agent Systems: AI services — liable if AI output causes client financial loss
Claims-Made vs Occurrence Policies
- Claims-made: Coverage triggers when the claim is made (not when the negligence occurred). Must maintain coverage continuously to protect past acts.
- Occurrence: Coverage triggers when the negligent act occurred. More favorable for the insured but rarer for PI.
CFO action: When switching PI insurers, ensure the new policy has a retroactive date going back to when the company started providing the service — otherwise there is a coverage gap for older acts.
PI vs D&O — Key Distinction
- PI: covers claims from clients/customers about professional services
- D&O: covers claims from shareholders/regulators about management decisions
- A financial misstatement could trigger both a D&O claim (from shareholders) and a PI claim (from investors who relied on the statements in a fund prospectus)
4. Cyber Insurance
First-Party Cyber Coverage
Protects the company for its own losses from a cyber incident:
- Business interruption: Revenue loss during system downtime
- Data recovery: Cost to restore corrupted or encrypted data
- Extortion: Ransom payments to release encrypted systems (check local law before paying)
- Crisis management: PR/legal costs to manage the incident
- Regulatory fines: Where insurable (varies by jurisdiction)
Third-Party Cyber Coverage (Liability)
Protects the company from claims by affected parties:
- Privacy liability: Customer data breach claims
- Network security liability: Failure to prevent a cyber attack that spreads to a third party's systems
- Media liability: Copyright infringement, defamation in digital content
AI-Specific Cyber Risks
LLM Agent Systems and AI-heavy operations face unique risks:
- Model poisoning: Adversarial inputs corrupting AI model outputs
- Prompt injection: Malicious instructions embedded in AI inputs — causes AI to produce harmful outputs
- AI-generated fraud: Deepfake voices/videos used to authorize fraudulent payments
- Hallucination liability: AI outputs used in financial decisions; hallucinated "facts" cause financial loss
Specialist cyber underwriters (Coalition, Cowbell, AXA XL) offer policies with AI-specific coverage language — read carefully to ensure AI operations are covered.
Pre-Binding Cybersecurity Requirements
Insurers now require minimum cybersecurity controls before binding coverage:
- Multi-factor authentication (MFA) on all remote access
- Endpoint detection and response (EDR) on all devices
- Offline backups — not connected to main network
- Privileged access management (PAM)
- Email security (SPF, DKIM, DMARC)
If your company lacks these controls, you will either be declined coverage or pay materially higher premiums.
5. Business Interruption (BI) Insurance
BI Indemnity Period
BI coverage pays for lost profit during a specified indemnity period after an insured physical damage event:
- Typically 12–24 months
- Choose based on how long it would take to fully restore operations after a catastrophic loss
Gross Profit vs Revenue Basis
- Gross profit basis: Insures profit that would have been earned minus saved variable costs. Most appropriate for most businesses.
- Revenue basis: Insures total revenue lost. Can over-insure if variable costs are saved.
Contingent BI — Supply Chain and Key Customer
Standard BI covers interruption to your own facilities. Contingent BI covers:
- Supplier interruption: Key supplier's facility damaged, affecting your supply
- Customer interruption: Key customer's facility damaged, reducing their demand from you
- Critical infrastructure: Utility provider failure (electricity, gas, water, internet)
Pakistan-Specific BI Risks
- Power outages: Loadshedding is endemic; standard BI excludes utility failure — require extension
- Political violence: Civil unrest (PECA, strikes) requires political violence extension
- Flood: Pakistan floods (2022 displaced 33M people) — ensure flood is covered; many policies exclude
- Cyber-caused BI: Require specific extension — standard BI does not cover cyber-induced shutdowns
6. Insurance Accounting (IAS 37 and IFRS 4)
Insurance Premium Accounting
Insurance premiums are prepaid expenses:
- Pay annual premium → Debit: prepaid expenses; Credit: cash
- Monthly amortization → Debit: insurance expense; Credit: prepaid expenses
Insurance Recovery Recognition (IAS 37.53)
A reimbursement from an insurer for a loss is recognized only when virtually certain:
- File a claim: do NOT recognize recovery at claim submission
- Insurer acknowledges liability: still may not be virtually certain
- Insurer agrees specific amount to pay: now virtually certain — recognize receivable
Critical point: The provision for the loss (under IAS 37) is recognized immediately when the obligation is constructive/legal and probable. The insurance recovery is recognized separately only when virtually certain. Do not net; do not offset.
Self-Assessment
-
BIQAI Group has the following entities: a listed Pakistani manufacturing company (PKR 15bn revenue), FERROQUANT Capital (investment management), AuditIQ (audit services), and LLM Agent Systems (AI services). Design a corporate insurance program: identify the five key policies required, the coverage amount for each, and the key coverage terms to negotiate.
-
You have just agreed to join as CFO of a listed Pakistani company. The HR team sends you the standard D&O policy. Review the key terms and identify: (a) whether Side A DIC is included, (b) whether run-off coverage is provided for 6 years post-departure, (c) whether the retroactive date covers prior periods, and (d) what questions you would ask about the retention (deductible).
-
Your company's main factory experiences a fire. The fire damage is PKR 200M (property insurance claim filed). Business interruption loss during the rebuilding period is estimated at PKR 80M over 9 months. The insurer acknowledges the property claim but has not yet agreed to the BI amount. What accounting entries do you make in the period-end financial statements?