Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Determining the right cyber insurance coverage and limits for partners starts with a risk assessment and consideration of key coverage categories. However, it also should also consider any contractual liability limitations or exclusions to ensure they
don’t override your well-thought-out requirements. This piece details the main types of cyber insurance coverage to assess/require along with key contractual pitfalls to avoid.
The first step in approaching third-party cyber insurance requirements is to assess the third-party risk. The inherent risk to your company network and data is very different when you contract with a customer vs. the firm hosting your website or your
outsourced IT vendor. What portion of your network and sensitive private health information (PHI) or personally identifiable information (PII) can the vendor access? How does the vendor interact with your network to get access?
When you answer these risk assessment questions, you can begin to understand what type of coverages to expect from the third party.
Consider the five following areas of coverage to require of third parties:
The coverage limits depend on your assessment of the risk they pose as well as industry standards for coverage limits for that specific vendor.
It may not be enough to require $2 million in cyber insurance coverage per occurrence and $3 million in the aggregate. Instead, you may consider stating the overall cyber insurance amount and then breaking that down into specific coverages for the five
categories listed above.
It might be unlikely your company will review the actual insurance policy of your vendor/customer/ third party. But if you ask questions about specific coverages, you will learn more about how much they really understand their own coverage. For most organizations,
buying cyber insurance is a check-the-box exercise. Asking the right questions can ensure your vendor’s insurance is tailored to the specific risks they pose to your company.
Cyber insurance does not provide blanket protection. Some items to pay specific attention to include:
Contractual limitation of liability. In my most recent ransomware response engagement, I had to give my client the shattering news that the IT vendor whose breach impacted them had a blanket $50,000 limitation of liability. That meant the breached vendor
could take the legal position that its $5 million cyber insurance policy was irrelevant, since $50,000 was its total liability. The lesson learned here is you have to make sure the limitations of liability found in most contracts do not apply to data
breaches. Instead, the clause should say data breaches are excluded from the liability cap and are subject to the insurance cap.
Exclusions. You also need to pay attention to the exclusions in a policy. Some cyber insurance policies exclude coverage if the underlying contract has a blanket indemnification clause. I have had occasions where I had to educate the other party about
this, explaining that if they did not exclude a data breach from the standard indemnity, our cyber insurance coverage would not apply.
Going solely with third-party coverage. You never want to substitute a third-party’s insurance for your own coverage. While you can require the third-party’s insurance is used first, you do not want to solely rely on its coverage. Remember,
it’s unlikely you will review their cyber policy in detail. You want a backup plan if the vendor’s cyber policy does not cover the claim or has limits that make it insufficient to cover various aspects of the claim, such as legal or forensic
READ: Cyber Insurance Coverage Best Practices
It’s important to implement a good process to ensure third parties obtain the right insurance and provide a certificate of coverage. The business negotiation is a process, and many times the contract is not given the attention it deserves.
You should also work closely with your legal team to ensure the contractual indemnity; limitation of liability and insurance all work together to reach the result you want. You do not want to have a breach situation and find out the contract signed four
years ago has a $30,000 blanket limitation of liability clause that makes the other party’s cyber insurance irrelevant.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 19, 2023
By IANS Faculty
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.
September 12, 2023
Understand the main differences between first- and second-gen SAST tools and learn how to determine which will work best for your environment.