Can your company transfer its cyber/privacy risk contractually?

Businesses are trying to push risk to vendors and clients contractually as breaches and other cyber attacks grow in number and magnitude. To understand whether or not this strategy will work for your company, you can begin by considering the following questions:

1. Is additional insured status available from your vendor’s or client’s policy?

While the quick answer will typically be “yes,” it will only be for vicarious liability. Vicarious liability refers to a situation in which one person or organization is held responsible for actions or omissions committed by another person or organization. Privacy law is clear when it comes to ownership of personally identifiable records. If your data has been breached, you are responsible and liable for it regardless of who is hosting or holding the data.

2. If your business can obtain additional insured status and transfer risk contractually (varies by state) do you also need to purchase a cyber insurance policy?

Even if your company has successfully obtained additional insured status from others, there are several reasons your business should maintain its own cyber coverages:

• Properly structured cyber policies provide first party coverages such as extortion and business interruption coverage, which is not liability coverage.
• Relying on additional insured status requires clear evidence the vendor or client is directly responsible for the breach, and is therefore unreliable. If circumstances are unclear, or either party is not solely responsible, the vendor’s or client’s carrier may fight the requirement to cover your losses.
• Even if you are granted additional insured status, many carriers limit the coverage to a fraction of the overall coverage granted by the policy. Many carriers will grant additional insured status only for 3^rd party claims, and not for breach response costs, regulatory hearings or other coverage agreements.
• Your company may not have the process, resources or expertise to evaluate the coverage and/or exclusions provided by the additional insured policy and how it might respond in its defense.
• It is always best to control a claim as a named insured rather than as an additional insured in the event of a claim.

3. The “Other Insurance Clause” is a provision identifying what occurs in the event multiple different policies are available to pay a specific claim. Is there a single answer as to how this clause will react in a claim situation involving an additional insured?

Each cyber policy has different and customizable terms and conditions. No policy is the same. Your company should review the terms and conditions of its own policy and preferably your vendor’s policy, although this may prove difficult.

The vast majority of policies have a default Other Insurance Clause. This default states, “this policy is in excess over other valid and collectible insurance.” What if you have a contract with a vendor and gain additional insured status on its policy, but both policies have the other insurance clause described above? You would effectively have both insurance companies pointing at one another. The insured organization would find itself in the middle with no defense or coverage. It would require significant time and coverage litigation between the insurance carriers to determine who is responsible to pay the lion’s share of the claim.

If your business already has a cyber policy and requests additional insured status on your vendor’s policy and both policies trigger in response to a claim, you could find yourself in a long drawn out litigation between both carriers. A preferable alternative is for your insurance program to respond expeditiously to your cyber claim. It would be wise to amend your policy’s other insurance clause if you seek to gain additional insured status on a vendor’s policy.

Bottom Line: While transferring risk contractually remains the least expensive way to transfer risk, it can also in situations described here be the most effective way to transfer risk. Contractual transfer remains a best practice regardless of the type of risk, cyber or otherwise. While insurance is the most expensive, it is also often the most effective way to transfer cyber risk.

When it comes to cyber/privacy liability your organization should consider purchasing its own policy to avoid the damage to a balance sheet or brand reputation which could occur without securing its own coverage. I recommend speaking with your trusted broker to secure your own coverage.

Brian Heun is the Sales and Relationship Manager and a Partner at KMRD Partners, Inc., a nationally recognized risk and human capital management consulting and insurance brokerage firm with offices throughout Pennsylvania. Brian can be contacted at [email protected]