Most of us are familiar with cyber liability, as data breaches and cybercrimes are common. Cyber liability policies provide a wide range of coverage ranging from network security liability, privacy liability, computer fraud, to ransomware attacks. In addition to legal fees and cyber investigation expenses, policies also pay for notifying customers about a data breach, restoring compromised data, and repairing computer systems. However, cyber liability as it relates to contractual requirements may still be unclear.

Negotiating cyber risk transfer provisions in contracts has become crucial and can be a challenge for many organizations. Staffing companies find themselves entering contracts with both clients and vendors, who both require cyber insurance. But what are you committing to, who is really at fault and whose policy pays the claims?

Vendor & Client Contracts

Vendor contractual language can be hard to navigate and may effectively transfer a vendor’s cyber risk to the purchaser, even though that user has no control over the vendor’s systems. This is usually done through strict indemnification wording limiting a vendor’s obligations to intentional or gross negligence. These contracts also often restrict the vendor’s financial responsibility to only the fees you paid them for their services. This means that if they suffer a big cyber loss, you and your insurance company could be left to cover most of the costs, even if it wasn’t your fault.

Client contracts can be just as confusing and have similar problems with limiting liability. It’s always a good idea to carefully read and understand these contracts before signing them so you can make sure your clients aren’t putting too much responsibility on you.

To protect yourself, try to negotiate for more fair terms in the contract. This could mean asking for broader protection from the vendor and removing the limits on their liability. If you can’t remove the limits, try to negotiate for a higher cap, so you won’t be left paying an unfair portion of the claim if something goes wrong.

First-Party Coverage vs. Third-Party Coverage  

First party coverage refers to insurance coverage that is designed to protect the policyholder in the event of a cybersecurity incident. This type of coverage is focused on the direct expenses and losses that the policyholder may incur because of a cyber-attack or data breach.

Third party coverage is designed to protect the policyholder against claims made by third parties, such as clients, vendors, employees, or other individuals or organizations. These claims typically allege that the policyholder is liable for damages or losses suffered by the third party because of a cybersecurity event. Third-party claims include legal fees, settlements, damages, regulatory costs, and fines & penalties.

It’s a common misconception that if an organization suffers a cyber-attack that they suspect a third party caused or contributed to, that they can just tender the claim like they would for general liability. Cyber liability is different in that there is usually a lengthy and detailed forensic investigation into the cause of the claim, and there can be multiple parties at fault. Each organization should have first party coverage to provide the forensic investigation. From there, it will be determined if first party coverage or third-party coverage comes into play, or both.

Key Takeaways

It is always prudent to carry your own first and third-party cyber liability coverage, and never try to rely on a client or vendor’s third-party coverage. Make certain to review all indemnification and contractual language related to cyber liability, paying special attention to any liability caps. Negotiate out of those caps when you can, and if it not possible, seek to raise the cap as high as possible.

To learn more, contact a Marsh McLennan Agency (MMA) advisor today.

Related insights