Risk Partners Life Sciences Roundtable 2024, thank you very much! Sign up now for the 26.06.2025 >

Contact us

Why cyber insurance does not transfer the core risk of VC & PE funds and why we have invested in Risk Partners cyber master agreements.

Why cyber risks are relevant for venture capital and private equity funds

With the increasing growth of the cybercrime industry(see Federal Office for the Protection of the Constitution), venture capital (VC) and private equity (PE) funds and their fund managers are also increasingly exposed to cyber risks. This has been reflected for years in the claims we have been able to support, in which fund managers take first place year after year in the sectors we support. In addition, regulatory pressure, such as the DORA regulation, ensures that alternative investment fund managers (AIFM), which are fully regulated by BaFin, must actively improve their cyber security. Despite all these measures, a residual risk remains:

  • What happens if attacks are successful and have serious consequences such as data loss or bank transfer fraud?

However, cyber insurance is often overrated in the industry when it comes to the latter; instead, crime insurance (also known as fidelity insurance) plays a crucial role in protecting the persons involved and the AIFM.

In addition, the role of cybercrime is becoming increasingly complex. Attackers are increasingly relying on automated tools and artificial intelligence (see e.g. CFO-Scam with Deepfake) to find vulnerabilities in systems and carry out attacks with precision. It is therefore essential for fund managers to rely not only on technical solutions, but also on organizational and financial protective measures ("insurance").

Crime insurance: An important building block for fund managers, especially for larger AIFMs

While cyber insurance focuses on protecting against digital attacks and losses suffered by the insured, crime insurance (fidelity insurance) primarily addresses the following two aspects:

  1. Protection against transfer fraud: e.g. attacks such as "fake president fraud" (possibly e.g. with AI deepfake video calls) or other forms of payment fraud have increased dramatically among PE/VCs in recent years. Crime insurance covers losses caused by unlawful money transfers - for example in LP payouts, capital calls or start-up investments, provided it is the fault of the KVG or its employees.

  2. Protection against intentional fraud by persons of trust: Internally caused losses, for example due to unauthorized or fraudulent actions by an investment manager, can also result in high losses, but are insurable against assignment of the right of recourse against the offender to the insurer.

Crime insurance therefore complements cyber insurance and should be an integral part of any risk management system. In our view, it is even the more relevant protection for many fund managers.

4 pillars of cyber insurance for venture capital and private equity
The four building blocks of cyber insurance with valuation for venture capital and private equity

Added value risk parteners: cyber framework agreements with a focus on VC/PEs

Risk Partners has negotiated framework agreements with cyber insurers that are specifically tailored to the needs of VC/PE funds. These contracts offer:

  • Coverage from as little as EUR 800 net annual premium for smaller AIFMs.

  • Crime modules with sums insured of up to EUR 2.5 million

  • Additional assistance and forensic services to relieve fund managers in the event of an emergency.

  • etc.

Added value and limits of cyber insurance for venture capital and private equity AIFM

Cyber insurance provides important insurance cover, in particular through:

  • Assistance services: In the event of an emergency, the insurance provides 24/7 assistance through specialized service providers to quickly restore systems and make use of forensic services and covers the costs for this

  • Liability component: The liability component can be crucial, especially for VC/PEs ("operational VC/PEs") with significant data exposure. It covers damage caused by data loss, betrayal of secrets or data protection breaches.

In addition, some cyber insurers can also insure extortion money, although this is currently the subject of critical debate in the industry. As Risk Partners, we are happy to ensure that these modules are optimally integrated into existing risk management systems (e.g. for E&O insurance). 

What comprehensive insurance cover against cybercrime can look like

Effective insurance cover for VC/PE funds is made up of several components:

  • E&O insurance: This covers wrong decisions and operational risks. Optionally, our Moonshot (VC)/Asset Protect (PE) can be supplemented with a crime module.

  • Crime insurance: Protection against fraud by internal and external actors.

  • Cyber insurance: Cover for specific cyber risks such as claims for damages from start-ups/third parties, supplemented by assistance services.

Irrespective of the insurance policy taken out, we recommend that all GPs look into offers in this regard and document this well, as, according to established case law, failure to take out an insurance option can trigger directors' and officers' liability and thus lead to private liability (D&O insurance claim). Ideally, in such a case, you can point out that the relevant insurance policies have been taken out and provide documentary evidence of this(business judgment rule).

Crime insurance and E&O insurance as a supplement to cyber insurance.

In addition to the insurance modules, a strategic approach to optimizing protection is essential. We recommend this to our clients:

  • Prevention: Implementation of clear guidelines, e.g. dual control principle for payments and (software-based) separation of approval and payment.

  • Operational risk management: training and payment policies to minimize errors.

  • Safeguarding portfolio companies: Startups in particular should take similar protective measures to reduce their own risks. Attacks on startups, for example by hackers, can also indirectly affect fund managers, as in the worst-case scenario there is a risk of write-downs or the startup can be the cause of transfer fraud and AIFM cover can therefore come to nothing ("Crypto exchange Lykke finally gives up after hack"). We are therefore increasingly seeing specific demands for insurance cover from US investors. We are happy to offer special advice on insurance solutions for technology companies via our Risk Partners Technology GmbH, which specializes in high-growth deep and tech companies.

In addition, we recommend carrying out regular cyber simulations to identify potential vulnerabilities in existing systems. Such tests can reveal not only technical but also organizational deficits and provide valuable insights for improving the security architecture. Good cyber insurance policies include this.

Questions? Book your consultation appointment.

Also read our other blog posts

Being Public

Whistleblower Protection Act

Whistleblower Protection Act ... is now in force. Hey #VCs, do you already have a system in place for safe #whistleblowing? And what about insurance cover in your D&O insurance? One month ago today, the German Whistleblower Protection Act came into force. Since July 2, 2023, not only companies with more than 50 employees, but also fund managers or ManCos (capital management companies pursuant to Section 17 (1) of the German Investment Code) are obliged to set up and operate a whistleblower system, regardless (!) of the number of employees. As of December 2

Read more "
October 31, 2023
4 pillars of cyber insurance for venture capital and private equity
Cyber Security

Cyber insurance Venture capital and private equity

Why cyber insurance does not transfer the core risk of VC & PE funds and why we have invested in Risk Partners cyber master agreements. Why cyber risks are relevant for venture capital and private equity funds With the increasing growth of the cyber crime industry (see Federal Office for the Protection of the Constitution), venture capital (VC) and private equity (PE) funds and their fund managers are also increasingly exposed to cyber risks. For years, this has been reflected in the claims we have been able to support, in which fund managers have ranked first year after year among the industries we advise.

Read more "
December 29, 2024
Being Public

Digital and effective prevention of directors' and officers' liability by Risk Partners & Fides Technology

Innovation by Risk Partners & Fides Technology Now on Vimeo and Soundcloud: get practical tips from experts with high relevance for avoiding liability for business managers. Question unanswered? Content: Personal liability is a constant sword of Damocles hovering over managing directors in everyday life. The standard of care is strict and directors bear the burden of proof. In collaboration with the distinguished corporate lawyer Eva Homborg (Esche Schümann Commichau) and the governance expert Philippa Peters (Fides Technology GmbH), we have spent months compiling practical measures on how you can avoid this burden of proof.

Read more "
January 12, 2024
Venture Capital

We provide information on liability risks for VC funds in the VC Magazine

In December, we were asked by VC-Magazin whether we could provide insights into liability and risk management issues relating to venture capital funds. With pleasure! Together with the team, Florian not only provided insights into current challenges, but also suggested practical solutions to effectively minimize and sensibly transfer the risks of a VC fund. In the VC Magazine article, you will therefore find: added value of customized insurance concepts for VC funds (focus: D&O/E&O insurance #Moonshot Protect), key measures for risk prevention (learning curve from our claims world), indemnifying contractual provisions as a preventive measure, and

Read more "
January 26, 2024
Cyber Security

"Digital Operational Resilience Act" (DORA regulation) from the perspective of venture capital and private equity funds

DORA regulation applies from January 2025. Significance for our private equity and venture capital clients The somewhat unwieldy name "Digital Operational Resilience Act" (DORA for short) has a very serious background and is fundamentally to be welcomed. After all, when we evaluate our claims in the context of cybercrime, PE and VC funds and their KVGs are those with the highest frequency of claims. It can be safely assumed that they are a "worthwhile target group" for cyber criminals based abroad.

Read more "
December 27, 2024