Your Contracts, Your Cyber Insurance and You

park-troopers-221402-unsplash.jpg

 “Don’t talk to me about contracts, Wonka, I use them myself.”
- “Square Deal” Sam Beauregarde

If you are a product brand, you’ve probably been required to enter into many agreements with everyone from manufacturers to distributors, payment processors to financial institutions and vendors of all shapes and sizes. Hopefully you’ve had the opportunity to review and understand these contracts, as landmines may exist within that labyrinth of legalese mumbo-jumbo which can affect the insurance you have purchased for your business. In this article, we’ll look at a few of these, particularly in the context of your cyber insurance policy.

BLT, Hold the Mayo

First, these contracts may require that you add another business to your insurance policy, otherwise known as an “additional insured.” This means that your new partner is able to enjoy coverage under your insurance policy, and at your cost (hint, insurers typically require additional premium for adding insureds to a policy).

Second, these contracts may also require that you hold certain minimum levels, or limits, of coverage. Beware these contracts may have varying minimum limits, which could affect the levels of insurance you purchase in order to stay compliant across all contracts.

Third, your contracts may also require different types of coverage. For example, one vendor may require that you carry commercial general liability and worker’s compensation insurance. Another may require you to carry cyber insurance. Yet another may require commercial auto liability coverage. Make sure you have all appropriate lines of coverage in place in order to stay compliant with your business partners.

Something About Making an Ass of U and Me . . .

In addition to adding businesses to your policy, as well as keeping minimum levels and types of coverage, these agreements may also require you to assume certain liabilities of your new business partners. This is especially true if you sell products online and will be taking confidential customer data and payment card information which could be stolen by bad guys.

To the extent your business partners could be blamed for such an event by their customers, clients or investigators, they may incorporate “tender of defense and indemnification” provisions into the contracts, effectively passing this responsibility to you. More specifically, if they are sued by their customers or clients or are investigated as a result of a cyberattack or data breach involving your system, they may be able to contractually force you to pay their costs of defense such as lawyer fees, settlements and judgments.

But what does this mean, and how does it affect you? Hopefully you have a cyber insurance program in place with first- and third-party coverage for cyberattacks or data breaches. As we discussed back in December, first-party cyber insurance can help with costs for recovering lost or damaged data, notifying customers, credit monitoring services and public relations, as well as lost business income from network interruption. Third-party cyber insurance covers legal defense costs in the event of lawsuits against your company for data breach, settlements and judgments, and regulatory fines and penalties. Things can change, however, if those legal defense costs come from your business partner tendering defense or requesting indemnification under the contract.

Cyber insurance policies generally exclude from coverage (i.e., insurers will not pay) liabilities assumed by contract, including those contracts you enter into with vendors and other business partners. Let’s say your company is the victim of cyberattack or data breach occurs and numerous records are compromised. A series of claims, lawsuits and investigations ensues. Several of your vendors wind up being sued and subsequently tender their defense and investigation costs to you under the respective contracts.

Under this scenario, you should be covered to the extent you undertake crisis response measures to minimize reputational harm to you and your vendors as a result of the cyber event. You should also be covered for lawsuits and investigations aimed directly at you. However, you may not be covered to the extent of your vendors’ tender of defense and indemnification costs, since those are assumed liabilities which are excluded under your cyber policy.

Make sure you review your contracts to determine what cyber-related liabilities you are assuming. To the extent possible, negotiate those contract provisions in advance with your business partners. Of course, success on this front may be dependent on bargaining leverage given the relative size of your company compared to your partner. In the alternative, consider having your insurance carrier create carve-outs for these contracts. There may be some additional premium paid, as the insurer will not want to undertake those risks without some cost for doing so. Then take a look at the adequacy of your limits and sub-limits of your full cyber coverage program, given the potentially catastrophic consequences of a cyber event.

Long story short, read and understand the agreements with your business partners, understand the liabilities you are assuming in those contracts, and then assess and react to the effects of those liabilities on your insurance program. As always, we're here to help