Reviewing Vendor Contracts for Cyber Risks
At the 2017 NetDiligence® Cyber Risk & Privacy Liability Forum in Santa Monica, CA, a panel discussed the important issues risk managers need to consider when reviewing contracts for cyber exposures. The panel was:
- John Farley – VP Cyber Risk Consulting Practice Leader – HUB International
- Meghan Haynes – Product Manager, Axis Capital
- Spencer Timmel – National Director of Cyber and Technology, Safety National
- Scott Godes – Partner, Barnes and Thornburg, LLP
- Javier Gonzalez – Partner & Executive VP of Sales, PL Risk Advisors
Studies show one in five data breaches are traced back to a third party vendor. States such a as New York are starting to require companies to include vendor management as part of their cyber loss prevention program.
When you are outsourcing your data to any third party there are many things you need to consider including the scale of your information you will be sharing and how important the business relationship is to your business. Also, what is the primary business of the third party? If it is not data protection you should have significant concerns around how they will be protecting your information.
You also need to know how much of the work your third party is doing themselves vs. how much they are outsourcing to other vendors. Every additional vendor that has access to your data is an addition point of risk that you need to consider and evaluate. Chances are the vendor you are working with is also working with other companies so you need to be concerned about the aggregation of data. If a hacker gets in the door through one of their other partners could they also access your data? Hackers will look to find the weakest link to get into a system, so they will target smaller companies that have a link to larger targets because they use the same third party vendor. Their ultimate goal is to access the larger company, but they start their attack two steps removed from them to avoid detection.
It’s also important to consider how third parties working with hundreds of companies will respond in the event they are breached. Will they know which accounts are compromised? Will they be responsive or overwhelmed because of the large number of clients they are dealing with?
First party business interruption coverage is an important element of any comprehensive cyber loss prevention program. If you suddenly could not access your data from the cloud, what impact would this have on your business? Should you be listing your vendor partners on your business interruption policy because they are such an integral part of your operation? The more companies outsource business processes to third party vendors, the less control they actually have over business interruption risks.
You also need to consider your own third party risks. If you were the source of the breach and it impacted other clients of the vendor you are working with, do you have coverage to protect you from litigation from these companies for whom you have no business relationship?
It is important to set up your cyber risk program to cover all potential exposures to your company. Do not assume your third party vendors will have coverage to protect you. You also need to be prepared to respond to any breach involving your data and not rely on the third party vendor to assist you.
When underwriting particular industries for cyber risk you have to fully understand how they interplay with other vendors. For example in the healthcare industry outsourcing billing and lab work is very common. Many industries use payment processors for their services. Some companies also have outsourced IT and payroll processes.
Indemnification clauses with third party vendors only provide limited protection. If the third party files for bankruptcy, that can essentially wipe out your indemnification rights. It’s more beneficial to have liabilities covered by an insurance agreement as that will survive bankruptcy and still respond where an indemnification agreement may not.
Your third party contracts may also not respond appropriately in the event of a data breach. For example, if the contract requires them to notify you within 30 days of a breach that puts you in conflict with certain state laws requiring seven day notice to your clients. In addition, a third party will respond to a breach with their own response team including lawyers. What you may find then is a situation where they claim all information about breach is subject to attorney-client privilege thus denying you information about what exactly has happened to your data.
A question arose about obtaining a copy of the third party’s cyber liability coverage as part of the due diligence. This is very challenging as no one wants to disclose the terms of their coverage since there is so much variation between policies. Instead, you should require them to carry coverage for certain specific things. In the event they fail to secure such coverage you would have a breach of contract claim. If you ask to be added as an addition insured to the third party’s insurance contracts, make sure you get a copy of the endorsement for this so you can review any potential limits or excursions to this.