Determining the right cyber insurance coverage and limits for partners starts with a risk assessment and consideration of key coverage categories. However, it also should also consider any contractual liability limitations or exclusions to ensure they
don’t override your well-thought-out requirements. This piece details the main types of cyber insurance coverage to assess/require along with key contractual pitfalls to avoid.
The first step in approaching third-party cyber insurance requirements is to assess the third-party risk. The inherent risk to your company network and data is very different when you contract with a customer vs. the firm hosting your website or your
outsourced IT vendor. What portion of your network and sensitive private health information (PHI) or personally identifiable information (PII) can the vendor access? How does the vendor interact with your network to get access?
When you answer these risk assessment questions, you can begin to understand what type of coverages to expect from the third party.
Consider the five following areas of coverage to require of third parties:
The coverage limits depend on your assessment of the risk they pose as well as industry standards for coverage limits for that specific vendor.
It may not be enough to require $2 million in cyber insurance coverage per occurrence and $3 million in the aggregate. Instead, you may consider stating the overall cyber insurance amount and then breaking that down into specific coverages for the five
categories listed above.
It might be unlikely your company will review the actual insurance policy of your vendor/customer/ third party. But if you ask questions about specific coverages, you will learn more about how much they really understand their own coverage. For most organizations,
buying cyber insurance is a check-the-box exercise. Asking the right questions can ensure your vendor’s insurance is tailored to the specific risks they pose to your company.
Cyber insurance does not provide blanket protection. Some items to pay specific attention to include:
Contractual limitation of liability. In my most recent ransomware response engagement, I had to give my client the shattering news that the IT vendor whose breach impacted them had a blanket $50,000 limitation of liability. That meant the breached vendor
could take the legal position that its $5 million cyber insurance policy was irrelevant, since $50,000 was its total liability. The lesson learned here is you have to make sure the limitations of liability found in most contracts do not apply to data
breaches. Instead, the clause should say data breaches are excluded from the liability cap and are subject to the insurance cap.
Exclusions. You also need to pay attention to the exclusions in a policy. Some cyber insurance policies exclude coverage if the underlying contract has a blanket indemnification clause. I have had occasions where I had to educate the other party about
this, explaining that if they did not exclude a data breach from the standard indemnity, our cyber insurance coverage would not apply.
Going solely with third-party coverage. You never want to substitute a third-party’s insurance for your own coverage. While you can require the third-party’s insurance is used first, you do not want to solely rely on its coverage. Remember,
it’s unlikely you will review their cyber policy in detail. You want a backup plan if the vendor’s cyber policy does not cover the claim or has limits that make it insufficient to cover various aspects of the claim, such as legal or forensic
It’s important to implement a good process to ensure third parties obtain the right insurance and provide a certificate of coverage. The business negotiation is a process, and many times the contract is not given the attention it deserves.
You should also work closely with your legal team to ensure the contractual indemnity; limitation of liability and insurance all work together to reach the result you want. You do not want to have a breach situation and find out the contract signed four
years ago has a $30,000 blanket limitation of liability clause that makes the other party’s cyber insurance irrelevant.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
June 10, 2021
By IANS Faculty
Identify the key features to look for in a SOAR solution and the top use cases for information security teams to consider.
June 8, 2021
Identify key steps security teams should take, and pain points to watch, when returning to the office working environment.
June 3, 2021
Explaining information security to the board of directors and aligning enterprise information security activities with board-level input can be challenging.