Exceptional risk management practices and their risk managers always ensure contractual insurance requirements in contractor and vendor agreements are reviewed on a consistent basis. It is their responsibility to be certain that insurance and risk-related provisions of standard agreements and purchase orders are following best practices, and appropriate for what is available and attainable in the insurance industry. In an effort to ensure the best protection possible and close potential loopholes, contractual insurance requirements sometimes inadvertently end up too restrictive, unattainable and often unenforceable.
Purchasing or contract execution can be difficult due to contractors’ inability to comply. A few common examples found in insurance requirements include:
Requiring an A.M. Best rating that is too high. An “A+” or “A” insurer financial rating and the largest size category may seem like a good idea with a goal of ensuring viable insurance assets. In reality, it can potentially reduce the pool of contractors able to comply, may risk placing them into non-compliance, or could exclude capable and acceptable contractors & vendors. A rating of “A-“ is still defined as “Excellent” by A.M. Best and is within the acceptable financial security standards of most brokers. Risk managers may want to consider any of the “A” ratings as an acceptable grade for counterparties.
Stipulating that the Contractual Liability provisions of contractor/vendor liability insurance policies are to provide coverage for allliability assumed in the Indemnification provision of the Agreement. By design, most indemnity provisions of a contract or agreement are intended to address insurable risks and uninsurable risks, such as breach of warranty and commercial risks. Contractual Liability provisions of liability policies are intended to only address tort liability assumed in an “insured contract” as defined by the policy. Overly broad attempts at linking insurance to indemnity provisions creates the possibility of unintentionally ruling the provision vague, unenforceable and therefore void.
Requiring contractors’ insurers provide Notice of Cancellation too far in advance or require insurer to provide notice of “material changes of coverage.” Longer notices of policy cancellation is fairly common between insurer & insured; 30-days is an acceptable and reasonable notice to certificate holders and additional insured’s on contractor policies. However, it is often challenging to get an insurer to agree to provide a cancellation notice. While it appears to be a good idea, no insurer will agree to provide notice for “material change” in the policy. It is simply too burdensome and there is no common or agreed understanding of what constitutes “material change.”
Crafting insurance requirements is often more of an art and less a science. The obvious intent is to insulate the utility from unreasonable liability arising out of the operations of contractors, vendors and service providers. The risk manager must also juggle absolute protection with what is available and attainable in the marketplace, all while accommodating the business and commercial needs of their internal constituents.
The recent theft of 40 million credit and debit records may have not been the largest data breach, but it sure did get our attention.
In 2002, California introduced the first “breach notification law,” SB1386, and the majority of states quickly followed suit. Today, 46 states, the District of Columbia, the US Federal Government, Canada, and the European Union all have breach notification laws – often multiple laws applying to different types of data. The data breach tracking website datalossdb.org notes approximately 8,000 breaches since 2004, affecting over 700,000,000 records.
Many misconceptions persist about the exposures of “cyber” liability, the way in which these claims occur, and the extent to which they are insurable.
While many entities feel they are not exposed to “cyber” events, either because they do not handle Protected Health Information (PHI), because they do not sell goods or services online, because they outsource the storage of their data, or because they are small, there is almost no company that is not exposed to data breaches.
In reality, the simple presence of customer data, employee data, or confidential third party corporate data creates this exposure. Though we often think of these events in “cyber” terms, some of the most severe incidents have come from the loss of paper files.
Many companies feel their small size insulates them from data breaches, though the reality is that smaller entities often have less staff able to be dedicated to a data breach response and a smaller balance sheet to settle liabilities. Some small companies with limited assets have been forced into bankruptcy due to their post-breach liabilities.
The insurance products available in the market today are actually a group of products such as privacy liability (called “third party” coverage,) breach costs (“first party” coverage,) regulatory investigations, fines, and penalties, multimedia liability, cyber business interruption, damage to digital assets, and cyber extortion. Many carriers have innovative enhancements to these coverages, or specialized coverages not available elsewhere.
The most commonly used portion of a cyber liability policy is the breach costs insuring agreement, which covers services such as computer forensics, notification to affected individuals, credit and/or identity monitoring, and public relations. While limits, retentions, and policy language are all very important, many buyers find the availability of these resources, centralized through a single, experienced business partner to offer significant convenience and peace of mind.
Though the majority of data breaches are perpetrated by sophisticated hackers, Verizon’s 2013 Data Breach Investigations Report shows that approximately half of known data breaches were attributable to human error. Often, human error facilitates the hack. Approximately one sixth of the studied data breaches arose from third party business relationships. In almost all cases, data storage facilities disclaim all liability for data breaches, leaving the data owner responsible for the costs.
The cyber liability marketplace has changed significantly in the recent past, with coverage now available to companies of all sizes, lower premiums, and lower retentions/deductibles.
Want to be certain you are covered? Hays Companies’ Cyber Liability Practice assists clients ranging from pre-revenue start-ups to established multi-billion dollar entities. Cyber Liability Practice Leader Dave Wasson is available for complimentary consultations at 312.519.7141 or DWasson@HaysCompanies.com.
In 2002, after the 9/11 attacks, the private sector was reluctant to develop security products and services in civilian settings due to the enormous liability risks involved. In response, Congress enacted the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act to encourage the development and deployment of new and innovative anti-terrorism products and services. The SAFETY Act created liability limitations for claims arising out of, relating to, or resulting from an act of terrorism. The Act applies to a broad range of products and services, including technology products, software and other forms of anti-terrorism security measures.
Since the SAFETY Act also provides liability protections for companies deploying SAFETY Act Certified/Designated products, the Department of Homeland Security (DHS) has listed an extensive list of approved technologies. You can find the list here. At Hays Companies we recommend any company that could reasonably foresee being exposed to a terrorist act or threat to highly consider purchasing approved SAFETY Act technologies to be used as a strong defense if you are attacked in a way that technology was designed to prevent.
At Hays Companies we also want our clients to consider if they are producing or consulting on products/services that could be used in an anti-terrorism capacity, that becoming Certified or Designated by the Department of Homeland Security could significantly lessen their potential liability.
To understand the criteria for designation or certification please refer to this SAFETY Act Fact Sheet and the SAFETY Act website. As of May 2013, DHS has made 600 approvals for products, technologies and services supporting more than 151,000 private sector jobs in small and large businesses.
To learn more about the SAFETY Act and how to apply for SAFETY Act protections, visit www.safetyact.gov. Hays Companies, Cyber Liability Practice Leader, Dave Wasson (email@example.com) is also available for consultations.
For the third straight year, Hays Companies of Wisconsin is proud to be named southeastern Wisconsin’s Top Workplace. The Milwaukee Journal Sentinel teamed with Workplace Dynamics, a leading research firm on organizational health and employee engagement, to determine the top employers in the area. Employers were measured by six factors: working environment, pay and benefits, leadership, execution, career and direction. The full listing published in the Milwaukee Journal Sentinel can be found here.
Hays strives to make employee satisfaction a high priority. Chief Executive Officer, Jim Hays, and the other senior officers expect hard work, high ethics and quality results, but it’s also a place where employees can always find assistance and support, particularly during any personal or family struggles. “We do what we think is best for our people and our customers and always emphasize work/life balance.”
Dan Sapiro, President of Hays Companies of WI shared, “By far this is the best group of insurance talent that I have ever been associated with.”
Hays Companies is one of the fastest growing risk management, insurance and employee benefits advisors in the country. Our 700+ team represents a dynamic, entrepreneurial assembly of the best and brightest in the industry. With over 30 offices across the country, we draw from a pool of unrivaled expertise, in legal, certified public accountants, financial services and claims to design a team devoted to your needs, and your needs alone.
Congratulations to Hays team members Bruce Lyon and Bruce Hollcroft! They recently received first place honors at the American Society of Safety Engineers (ASSE) 2013 Professional Paper Awards Competition.
Their article, “Risk Assessments: Top 10 Pitfalls & Tips for Improvement” competed in the Technical Writing Category and was published in the December 2012 issue of Professional Safety magazine.
Mr. Lyon and Mr. Hollcroft will attend the Safety 2013 Conference in Las Vegas this summer to be recognized among their peers and receive their award.