Exceptional risk management practices and their risk managers always ensure contractual insurance requirements in contractor and vendor agreements are reviewed on a consistent basis. It is their responsibility to be certain that insurance and risk-related provisions of standard agreements and purchase orders are following best practices, and appropriate for what is available and attainable in the insurance industry. In an effort to ensure the best protection possible and close potential loopholes, contractual insurance requirements sometimes inadvertently end up too restrictive, unattainable and often unenforceable.
Purchasing or contract execution can be difficult due to contractors’ inability to comply. A few common examples found in insurance requirements include:
Requiring an A.M. Best rating that is too high. An “A+” or “A” insurer financial rating and the largest size category may seem like a good idea with a goal of ensuring viable insurance assets. In reality, it can potentially reduce the pool of contractors able to comply, may risk placing them into non-compliance, or could exclude capable and acceptable contractors & vendors. A rating of “A-“ is still defined as “Excellent” by A.M. Best and is within the acceptable financial security standards of most brokers. Risk managers may want to consider any of the “A” ratings as an acceptable grade for counterparties.
Stipulating that the Contractual Liability provisions of contractor/vendor liability insurance policies are to provide coverage for allliability assumed in the Indemnification provision of the Agreement. By design, most indemnity provisions of a contract or agreement are intended to address insurable risks and uninsurable risks, such as breach of warranty and commercial risks. Contractual Liability provisions of liability policies are intended to only address tort liability assumed in an “insured contract” as defined by the policy. Overly broad attempts at linking insurance to indemnity provisions creates the possibility of unintentionally ruling the provision vague, unenforceable and therefore void.
Requiring contractors’ insurers provide Notice of Cancellation too far in advance or require insurer to provide notice of “material changes of coverage.” Longer notices of policy cancellation is fairly common between insurer & insured; 30-days is an acceptable and reasonable notice to certificate holders and additional insured’s on contractor policies. However, it is often challenging to get an insurer to agree to provide a cancellation notice. While it appears to be a good idea, no insurer will agree to provide notice for “material change” in the policy. It is simply too burdensome and there is no common or agreed understanding of what constitutes “material change.”
Crafting insurance requirements is often more of an art and less a science. The obvious intent is to insulate the utility from unreasonable liability arising out of the operations of contractors, vendors and service providers. The risk manager must also juggle absolute protection with what is available and attainable in the marketplace, all while accommodating the business and commercial needs of their internal constituents.
The recent theft of 40 million credit and debit records may have not been the largest data breach, but it sure did get our attention.
In 2002, California introduced the first “breach notification law,” SB1386, and the majority of states quickly followed suit. Today, 46 states, the District of Columbia, the US Federal Government, Canada, and the European Union all have breach notification laws – often multiple laws applying to different types of data. The data breach tracking website datalossdb.org notes approximately 8,000 breaches since 2004, affecting over 700,000,000 records.
Many misconceptions persist about the exposures of “cyber” liability, the way in which these claims occur, and the extent to which they are insurable.
While many entities feel they are not exposed to “cyber” events, either because they do not handle Protected Health Information (PHI), because they do not sell goods or services online, because they outsource the storage of their data, or because they are small, there is almost no company that is not exposed to data breaches.
In reality, the simple presence of customer data, employee data, or confidential third party corporate data creates this exposure. Though we often think of these events in “cyber” terms, some of the most severe incidents have come from the loss of paper files.
Many companies feel their small size insulates them from data breaches, though the reality is that smaller entities often have less staff able to be dedicated to a data breach response and a smaller balance sheet to settle liabilities. Some small companies with limited assets have been forced into bankruptcy due to their post-breach liabilities.
The insurance products available in the market today are actually a group of products such as privacy liability (called “third party” coverage,) breach costs (“first party” coverage,) regulatory investigations, fines, and penalties, multimedia liability, cyber business interruption, damage to digital assets, and cyber extortion. Many carriers have innovative enhancements to these coverages, or specialized coverages not available elsewhere.
The most commonly used portion of a cyber liability policy is the breach costs insuring agreement, which covers services such as computer forensics, notification to affected individuals, credit and/or identity monitoring, and public relations. While limits, retentions, and policy language are all very important, many buyers find the availability of these resources, centralized through a single, experienced business partner to offer significant convenience and peace of mind.
Though the majority of data breaches are perpetrated by sophisticated hackers, Verizon’s 2013 Data Breach Investigations Report shows that approximately half of known data breaches were attributable to human error. Often, human error facilitates the hack. Approximately one sixth of the studied data breaches arose from third party business relationships. In almost all cases, data storage facilities disclaim all liability for data breaches, leaving the data owner responsible for the costs.
The cyber liability marketplace has changed significantly in the recent past, with coverage now available to companies of all sizes, lower premiums, and lower retentions/deductibles.
Want to be certain you are covered? Hays Companies’ Cyber Liability Practice assists clients ranging from pre-revenue start-ups to established multi-billion dollar entities. Cyber Liability Practice Leader Dave Wasson is available for complimentary consultations at 312.519.7141 or DWasson@HaysCompanies.com.