Companies enter an array of technology transactions with third-parties that allow vendors access to the Company’s source code, customer data, employee information, cybersecurity measures, and other critical data and infrastructure. These relationships inevitably increase the potential of a cyber attack impacting the Company through an attack against the vendor.
Most technology transactions require the vendor to comply with industry standard cybersecurity protocols and employee training, and to indemnify the Company should the vendor incur a cyber event that impacts the Company. However, those remedies rely on the vendor to maintain industry standards on a going-forward basis (which many do) and to have the financial wherewithal to indemnify the Company (and others) after the vendor suffers a cyber event (which the vendor may or may not have).
Companies therefore should also evaluate which vendors they should require to have a robust cyber insurance policy, and whether the Company should be added as an additional insured. Obvious choices are vendors that have some role in the Company’s cybersecurity program, and ones that possess or have access to significant amounts of PII or other critical and confidential Company data. But Companies should also consider whether to require strategically important vendors to procure coverage to protect against an uninsured cyber event causing the unexpected loss of that vendor and resulting disruption to the Company’s business.
If a Company decides to require a vendor to obtain cyber insurance, simply including a contractual requirement that the vendor do so may not result in coverage that adequately addresses the risks the particular vendor is most likely to face or impose on the Company, or covers the damages that concern the Company the most. There is no single cyber insurance policy that is predominantly used. Instead, approximately 75 carriers write their own individual cyber insurance policies with differing provisions (sometimes vastly differing provisions), and many aspects of those policies can be negotiated. Thus, unlike with respect to CGL, worker’s compensation, or other traditional policies, a contractual requirement that the vendor obtain a cyber policy with certain limits does not carry the same certainty of protection that it would be expected to do for more traditional policies.
Instead, Companies should consider contractually requiring a specific cyber policy, or specific cyber policy provisions, that adequately addresses or address both the risks to the Company should the vendor suffer from a cyber event and the potential cyber risks applicable to the vendor, including, for example, employee negligence. Likewise, Companies should follow up on the contractually imposed requirement to procure cyber insurance and consider whether they should request and review a copy of the policy the vendor procured, or even require approval of a vendor cyber policy before it is bound.
Lastly, depending on the access granted to the vendor, Companies should discuss whether to include some or all of their vendors in their insurance programs. If one or more vendors are to be added, Companies should discuss with their risk managers and brokers ways to obtain insurance that would provide coverage when the vendor suffers a cyber event, including cyber events allegedly resulting from employee negligence or the failure of the vendor to comply with industry standard cybersecurity protocols.