Imagine you have outsourced your entire engineering function - including product development to a startup. As per the terms and conditions agreed upon by both parties, the startup manages your company's engineering functions. A few months later the startup compromises the data of your customers.
Who will deal with the incident's aftermath? Does the startup have appropriate insurance to cover its costs? And, even if it has, does your company have the contractual rights to recover those costs? It is not always easy to answer such questions during cyber incidents. Many policyholders find themselves confused and frustrated with the complicated language in their contracts. The importance of clarity in these policies cannot be overstated - it can mean the difference between receiving proper coverage or being left vulnerable to devastating losses. The transfer of contractual risk is therefore a crucial component of negotiations before a major event.
What is risk transfer?
Risk transfer is a risk management approach that involves transferring risk to a third party. In other words, risk transfer entails one party bearing the liabilities of another. To compensate the third party for absorbing the risk, the individual or corporation will usually make monthly payments to the third party. Purchasing insurance is a popular way for an individual or institution to transfer risk to an insurance provider.
Who handles the risk?
You can protect your business by ensuring you are not held liable for mistakes or errors made by vendors. When a cyber loss occurs - before work begins - a contract that clearly identifies the party responsible could save your company time and money in litigation. It could also help you deal with crisis situations more effectively. This is relevant for companies looking to outsource - for example, outsourcing to the cloud - or professional services firms with a digital focus.
Get Free Quote in Minutes
Thanks for choosing BimaKavach for Free Get Quote Insurance needs. We are finalising the chosen quote with the insurer. Our relationship manager will call you to guide you along.
In case, you wish to connect with us for any help, feel free to mail us at firstname.lastname@example.org
A company exploring outsourcing contracts - such as outsourcing to the cloud — or a professional services company providing digital services may find this particularly relevant. Ideally, risk should be transferred fully with sufficient financial backing, but this is not always feasible. Questions that affect the outcome of contractual risk transfer include:
- What are the vendor's company size, market position, and appetite?
- What is the industry? Indemnification standards or contractual language are more advanced in some industries than others.
- What is the size of the contract? A big deal often comes with more protection than a small one.
- Do you know what services are provided? Is the vendor handling your data? Are their services mission-critical? What happens if they make a mistake?
- How does the relationship work?
- Does the contract form belong to you or the vendor?
Limitations of liability caps are common in many contracts (for example, liability caps based on fees earned in the past six months). Be careful of carve-outs and negligence standards. Liability caps reduce the value of indemnity and insurance limits.
It is normal for your vendor to have insurance coverage for risks that could affect their services, such as motor, property, general liability, and employer's liability. The inclusion of professional liability insurance is also common in technology or professional services contracts, and the use of cyber insurance is increasing as well.
You should require your vendor to carry insurance to ensure that you can support your indemnity obligations. Insurance requirements should be aligned with contractual requirements and a careful evaluation of your trading partner. Cyber insurance may also increase the likelihood that the vendor is put through a due diligence process where underwriters evaluate their risks and risk management maturity.
What kind of insurance should your vendors have?
Cyber insurance covers vendors in case their network is compromised, or private information is disclosed. A vendor must have E&O insurance if it provides services, as well as a policy that covers negligence generally. Most companies with E&O insurance bundle cyber coverage into their E&O policy, which satisfies both requirements.
You can buy either E&O or cyber coverage for the risk of a vendor breaching your data, depending on the policy language. Many tech services companies buy both coverages, so they are protected in case of a data breach.
The setting of reasonable Limits of coverage
Most companies start with a standard request which is determined by their size and the average size of their vendor contracts, by revenue. There are several factors to consider when determining the level of risk and appropriate limit. These include:
- How could something go wrong and cause damage?
- Do you need a mission-critical service or a routine service from the vendor?
- How about a start-up with three employees working out of a garage or a multinational with ₹50 crores in revenue?
- Commercial feasibility, proportionality, and realistic limits are all important considerations.
- Does the vendor have access to personally identifiable information?
- Is there a reason to require ₹5 crores of insurance if the vendor has successfully capped its liability?
Contract Language related to cyber risk transfer
Although it is common to be named as an "additional insured" in other contractually required lines of insurance, it has less value in cyber claims. Having access to a policy - and triggering breach cost payments - would be beneficial in data breach claims where a named insured is responsible for the data breach. Adding an ‘Additionally Insured’ can cause problems for the additionally insured if done incorrectly since no one would pay for the retention or manage the process.
The vendor's right-to-audit clause
It is increasingly common for contracts with vendors, who handle your client’s confidential information, to include language requiring them to protect the data they handle. The clause "providing appropriate security controls" is generally not sufficient.
It is common for forward-thinking companies to require data segregation limitations, where data can be housed geographically, and detailed security requirements.
You are generally not required to review your vendor's security practices and procedures if you have a right-to-audit contract, but you can usually review them. In addition to supporting your compliance obligations, it strengthens your security procedures and practices and enables you to identify and eliminate risky vendors. It depends on the terms of the contract whether you can secure this contractual right. Larger companies that outsource some or all their data management services, which have significant amounts of personally identifiable information, are increasingly making such requests.
Your ability to secure this contractual right will be determined by the terms of the contract, as with all contracts. These requests, however, are becoming increasingly common among larger organizations that outsource some or all their data management services, including those with substantial amounts of personally identifiable information.
Best practices in cyber risk transfer
Risk transfer is a strategic decision that must be made. The entire procedure must be completely visible to both the insurer and the insured. Some of the best practices that have been suggested are as follows:
1. Define each party's security responsibilities. It is critical that both parties understand their areas of responsibility when transferring cyber risk to an insurer. This may be especially relevant in the provision of cloud services, as suppliers may retain the authority to change service policies.
2. Audit provisioning- Enterprises should have the ability to audit issuers/providers to guarantee that maximum requirements are met while working with data. An audit is now seen as one of the most important aspects in the process of identity and access management, and also while meeting regulatory compliance.
3. Evaluation of compliance- Organisations that operate in regulated industries must ensure that the transfer is completely compliant with applicable data privacy laws and regulations. Understanding the duties of IT professionals in secure environments under HIPAA or other statutes is required.
4. Action plan for disaster recovery- Create a strategic plan of action for each party to ensure immediate responses in the event of a calamity.