Third-Party Cyber Insurance Coverage & Pitfalls to Avoid

June 1, 2021 | By IANS Faculty

Determining the right cyber insurance coverage and limits for partners starts with a risk assessment and consideration of key coverage categories. However, it also should also consider any contractual liability limitations or exclusions to ensure they don’t override your well-thought-out requirements. This piece details the main types of cyber insurance coverage to assess/require along with key contractual pitfalls to avoid.

Third-Party Cyber Insurance Requirements

The first step in approaching third-party cyber insurance requirements is to assess the third-party risk. The inherent risk to your company network and data is very different when you contract with a customer vs. the firm hosting your website or your outsourced IT vendor. What portion of your network and sensitive private health information (PHI) or personally identifiable information (PII) can the vendor access? How does the vendor interact with your network to get access?

When you answer these risk assessment questions, you can begin to understand what type of coverages to expect from the third party.

Types of Third-Party Cyber Insurance Coverage

Consider the five following areas of coverage to require of third parties:

  1. Damages arising from phishing that leads to a business email compromise (BEC).
  2. Damages arising from ransomware or other extortion relating to your network or data.
  3. Costs of remediation to retrieve your lost data and bring your network back online.
  4. Cost to comply with violations of healthcare regulatory reporting requirements and fines.
  5. Defense costs for remediation, notification, and defense of litigation claims.

The coverage limits depend on your assessment of the risk they pose as well as industry standards for coverage limits for that specific vendor.

It may not be enough to require $2 million in cyber insurance coverage per occurrence and $3 million in the aggregate. Instead, you may consider stating the overall cyber insurance amount and then breaking that down into specific coverages for the five categories listed above.

It might be unlikely your company will review the actual insurance policy of your vendor/customer/ third party. But if you ask questions about specific coverages, you will learn more about how much they really understand their own coverage. For most organizations, buying cyber insurance is a check-the-box exercise. Asking the right questions can ensure your vendor’s insurance is tailored to the specific risks they pose to your company.

Cyber Insurance Pitfalls

Cyber insurance does not provide blanket protection. Some items to pay specific attention to include:

Contractual limitation of liability. In my most recent ransomware response engagement, I had to give my client the shattering news that the IT vendor whose breach impacted them had a blanket $50,000 limitation of liability. That meant the breached vendor could take the legal position that its $5 million cyber insurance policy was irrelevant, since $50,000 was its total liability. The lesson learned here is you have to make sure the limitations of liability found in most contracts do not apply to data breaches. Instead, the clause should say data breaches are excluded from the liability cap and are subject to the insurance cap.

Exclusions. You also need to pay attention to the exclusions in a policy. Some cyber insurance policies exclude coverage if the underlying contract has a blanket indemnification clause. I have had occasions where I had to educate the other party about this, explaining that if they did not exclude a data breach from the standard indemnity, our cyber insurance coverage would not apply.

Going solely with third-party coverage. You never want to substitute a third-party’s insurance for your own coverage. While you can require the third-party’s insurance is used first, you do not want to solely rely on its coverage. Remember, it’s unlikely you will review their cyber policy in detail. You want a backup plan if the vendor’s cyber policy does not cover the claim or has limits that make it insufficient to cover various aspects of the claim, such as legal or forensic costs.

Determine the Right Cyber Insurance Coverage

It’s important to implement a good process to ensure third parties obtain the right insurance and provide a certificate of coverage. The business negotiation is a process, and many times the contract is not given the attention it deserves.

You should also work closely with your legal team to ensure the contractual indemnity; limitation of liability and insurance all work together to reach the result you want. You do not want to have a breach situation and find out the contract signed four years ago has a $30,000 blanket limitation of liability clause that makes the other party’s cyber insurance irrelevant.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.


Find additional resources from our security practitioners.


Learn how IANS can help you and your security team.