Brian Heun//September 13, 2019
Brian Heun//September 13, 2019
Businesses are trying to push risk to vendors and clients contractually as breaches and other cyber attacks grow in number and magnitude. To understand whether or not this strategy will work for your company, you can begin by considering the following questions:
While the quick answer will typically be “yes,” it will only be for vicarious liability. Vicarious liability refers to a situation in which one person or organization is held responsible for actions or omissions committed by another person or organization. Privacy law is clear when it comes to ownership of personally identifiable records. If your data has been breached, you are responsible and liable for it regardless of who is hosting or holding the data.
Even if your company has successfully obtained additional insured status from others, there are several reasons your business should maintain its own cyber coverages:
Each cyber policy has different and customizable terms and conditions. No policy is the same. Your company should review the terms and conditions of its own policy and preferably your vendor’s policy, although this may prove difficult.
The vast majority of policies have a default Other Insurance Clause. This default states, “this policy is in excess over other valid and collectible insurance.” What if you have a contract with a vendor and gain additional insured status on its policy, but both policies have the other insurance clause described above? You would effectively have both insurance companies pointing at one another. The insured organization would find itself in the middle with no defense or coverage. It would require significant time and coverage litigation between the insurance carriers to determine who is responsible to pay the lion’s share of the claim.
If your business already has a cyber policy and requests additional insured status on your vendor’s policy and both policies trigger in response to a claim, you could find yourself in a long drawn out litigation between both carriers. A preferable alternative is for your insurance program to respond expeditiously to your cyber claim. It would be wise to amend your policy’s other insurance clause if you seek to gain additional insured status on a vendor’s policy.
Bottom Line: While transferring risk contractually remains the least expensive way to transfer risk, it can also in situations described here be the most effective way to transfer risk. Contractual transfer remains a best practice regardless of the type of risk, cyber or otherwise. While insurance is the most expensive, it is also often the most effective way to transfer cyber risk.
When it comes to cyber/privacy liability your organization should consider purchasing its own policy to avoid the damage to a balance sheet or brand reputation which could occur without securing its own coverage. I recommend speaking with your trusted broker to secure your own coverage.
Brian Heun is the Sales and Relationship Manager and a Partner at KMRD Partners, Inc., a nationally recognized risk and human capital management consulting and insurance brokerage firm with offices throughout Pennsylvania. Brian can be contacted at [email protected]