When considering cyber related risk, many would often think, “How could my organization’s system be breached?” Hopefully, they plan some defense for their server being hacked and purchase Cyber Liability Insurance that covers first party loss. This is all well and good, but it is important to consider the exposure when storing data with an off-site storage provider or granting system access to a vendor/provider of any kind. What if they are hacked?
The Target breach is a perfect example of this; their refrigeration contractor fell victim to a phishing email and hackers obtained their Target online portal login credentials. The rest is history.
If your firm does utilize the services of a 3rd party that stores or has access to any Personal Identifiable Information (PII), Personal Health Information (PHI), system credentials, or client data you’ll want to be sure that your Cyber Liability policy provides coverage for a 3rd party loss in the event that a provider is breached and your data is compromised.
Protecting against the 3rd party liability exposure created by engaging providers starts with the agreement wherein you officially engage the vendor/provider. Vendor contracts should include specific and sufficient insurance requirements and indemnity language. This should include insurance requirements for Errors & Omissions, Commercial General Liability and Cyber Liability (with a 3rd party coverage extension) to cover such an event. Moreover, the insurance and indemnity requirements should require the vendor to carry and maintain those coverages for the life of the engagement and for a period thereafter; the limits of insurance should be consistent with the magnitude of the exposure the vendor engagement creates.
While you can’t control how your providers manage their IT systems, you can require that they are properly and adequately insured and held accountable for a breach of their systems through indemnity and insurance requirements in the contract.
If you would like more information or help in reviewing your vendor/contractor agreements or your own insurance policies, click here for assistance.