Cyber Risk Transfer: Can you transfer your cyber / privacy risk contractually?
With the advent of more frequent privacy breaches, sophisticated companies are trying to push risk contractually to their vendors and even their clients. Reading a cloud hosting contract or other cloud software platform agreement, this cyber risk transfer trend is evident.
Questions about cyber risk transfer which need answers –
1 – Can organizations obtain additional insured status from a vendor or client’s policy? The short answer is yes, but only for vicarious liability. Privacy law is very clear with respect to ownership of personally identifiable records. Regardless of who is hosting or holding the data, if it’s your data, you are responsible and liable for it.
2 – If organizations can obtain additional insured status and transfer the risk contractually (varies by state) do you need buy a cyber policy? Several reasons an organization policy should maintain their own coverage as follows:
- Cyber policies provide first party coverages such as extortion and business interruption coverage which is not liability coverage.
- Relying on additional insured status is unreliable because it requires clear evidence that the vendor is directly responsible for the breach. If the circumstances are unclear, or the vendor is not solely responsible, the vendor’s carrier may fight the requirement to cover your losses.
- Even if you are granted additional insured status on a vendor’s policy, many carriers limit the coverage to a fraction of the overall coverage granted by the policy. Many carriers will only grant additional insured status for 3rd party claims, but not for breach response costs, regulatory hearings, or other coverage agreements.
- Most companies do not have the process, resources or expertise to evaluate the coverage and or exclusions provided by the additional insured policy and how it might respond in their defense.
- In the event of a claim, it’s always best to control the claim as a named insured vs an additional insured.
3 – How will the “Other Insurance Clause” react in a claim situation involving an additional insured?
Every cyber insurance policy contains a provision identifying what occurs in the event there are multiple different policies available to pay a specific claim.
There is no single answer. Each cyber policy has different and customizable terms and conditions. No policy is the same. Companies should review the terms and conditions of their own policy and preferably your vendor’s policy, although this may prove difficult.
The vast majority of policies have a default other insurance clause which states “this policy is excess over other valid and collectible insurance”. What if you have a contract with a vendor and gain additional insured status on their policy, but both policies have the other insurance clause described above? You would effectively have both insurance companies pointing at one another with the insured organization in the middle with no defense and no coverage. It would require a lot of time and coverage litigation between the insurance carriers to determine who is responsible to pay the lion share of the claim.
Only a few policies are written as primary when there is other insurance.
If you already have cyber risk insurance policy and request additional insured status on your vendor’s policy and both policies trigger in response to a claim you could find yourself in a long drawn out litigation between both carriers. A better alternative is to have your insurance program respond expediently to your cyber claim. It would be wise to amend your policy’s other insurance clause if you seek to gain additional insured status on a vendor’s policy.
Bottom Line: Transferring risk contractually remains the least expensive way to transfer risk. Contractual transfer is a best practice regardless of the type of risk, cyber or otherwise. Insurance is the most expensive but often most effective way to transfer cyber risk. When it comes to cyber / privacy liability an organization needs to consider purchasing their own policy to avoid the damage to a balance sheet or worse brand reputation which could occur without securing their own coverage.
Contact us below and we’ll help you design a safe and secure cyber risk insurance policy.
Brian Heun is the Sales and Relationship Manager and a Partner at KMRD Partners Risk & Insurance Solutions, a leading risk management and human capital solutions firm based in Warrington, Pa.
The content available on or through this e-letter is in no way intended to and shall not be construed to constitute professional medical, health, legal, tax or financial advice. KMRD Partners disclaims any liability or loss in connection with the content contained in this e-letter.
How KMRD Can Help:
KMRD delivers risk management and human capital solutions to over 2000 clients nationwide. Our award-winning team, disciplined approach, proven processes, combined with our risk management portal make KMRD the leading choice to protect against cyber risks and reduce the overall cost of risk.