In Part 3 of Managing Cyber Exposure: 2020 and Beyond, Host and Director of Faculty Development, Jay Williams, CIC, CRM, CRIS, MLIS, AIP, AAI, ACSR, continues his conversation with Paul Burkett, J.D., CIC, CRM, CPCU, ARM, ALCM, about risk management as it relates to cyber exposure, particularly with risk transfer. E-commerce transactions can create the potential for negligence that could lead to loss scenarios. Risk transfer through contract aims to limit these loss scenarios as much as possible. This non-insurance risk transfer tool needs to be combined with the procurement of insurance coverages that transfer the risk to the insurance marketplace.
Tune in to get a firm understanding of the dynamics of contracts and contract transfers. Ready to talk indemnification and hold harmless? Listen now.
Contract Dynamics and Transfers
Picture this: An online retailer has a contract with a technology company that’s going to design the retailer’s website. The company is responsible for securing the retailer’s website, processing orders, and storing customer data in a cloud-type environment.
What are the potential opportunities for negligence in this scenario?
In this situation, the e-commerce transaction provider has an opportunity to create potential negligence-loss scenarios that are going to impact the retailer. A good solution to this would be to enforce a risk transfer through contract to limit loss scenarios as much as possible. What else should insurance agents be aware of?
Content liability is a negligent situation that can create problems for the retailer. Including areas that are going to create exposures in contracts to the service provider builds content liability under the risk management and risk identification process. This includes assets at risk of potential trademark and copyright infringement, such as logos, design elements, and intellectual property.
Agents should also be aware of any data breaches that could cause privacy claims. Proper security measures should be put in place to protect clients, credit card transactions, private information, and any other key identifiers that are non-public and must be protected.
Other Exposures to Watch for
- First-party exposures: notification costs, forensics, fines and penalties, regulatory
- Business interruption loss: viruses, ransomware, denied access, downtime, data restoration, and rectification work
As purchaser of these technology products, the retailer would try to require that the assumption of full liability for these losses be transferred to the technology company through a commerce transaction. The retailer would need to have adequate indemnification.
Can the other party pay for it?
The short answer is: it depends. Did the retailer mandate insurance coverage for the technology company? Did they require the technology company to have an emissions policy? Did they require them to have a media or content liability coverage? Did they require third-party cyber coverage for the care, custody, or control of the data that they would be manipulating?
To obtain appropriate coverages, contractual transfer elements and insurance elements like the general indemnity clause (also known as hold harmless and indemnification clauses) must be included in the contract.
The technology vendor cannot limit its liability for Bodily Injury (“BI”), Property Damage (“PD”), privacy liability, or business interruption. Agents should demand that, tell the retailer that they will be fully indemnified, and assure them that all liabilities created by the negligence will be paid for. In this scenario, an intellectual property indemnity clause is needed to protect the website containing trademark, copyright infringement, exposures, and potential claims.
If the intellectual property indemnity clause is agreed to, how will the infringement on the intellectual property indemnity clause be paid for? It may not be covered under the Technology Errors and Omissions policy. Property defense coverage may need to be brought in as a separate item.
Clauses Clients Should Have
- Intellectual property indemnity clause
- Financial loss indemnity clause to pay for all losses, including my regulatory proceeding attorney’s fees and other items
- Content liability coverage for financial loss, data breach, reconstitution of database, and business interruption created by negligence
What if vendors push back?
The retailer must ensure they have the financial capability to handle a breach of privacy indemnity. The vendor may push back and only want insurance recourse coverage. In other words, they are only going as far as the insurance they have.
A vendor may want loss limited to a specific time period where they will only be responsible for six months, which is in violation of the statute of repose for any completed operation exposure.
Agents should be wary of language that states they are not going to be liable for more than a million dollars, for example. There should not be any kind of monetary cap on that indemnification. Retailers should strongly oppose any kind of non-insurance transfer language.
What’s the best thing to do?
Focus on making the retailer’s cyber policy to be excess above what the technology vendor is providing. Agents must monitor these kinds of contract issues and have those discussions with their clients.
Keep in mind that coding and programming errors aren’t found immediately. It can take a business anywhere from 280 to 340 days to realize it’s been hacked. Agents should consider time limits, timelines, and other items that ensure good financial security. You want to make sure that the retailer knows how to indemnify and how to negotiate through problems and examine all contracts to determine what liability is present.
What does an underwriter need when an agent is submitting business?
Underwriting is done when a full completed application is submitted. The completed application must indicate the coverage elements the client wants.
What are some potential challenges the underwriter may encounter?
Underwriters will also need to know about historical elements. One of the things they look out for are claims-made contracts. We are now starting to get substantial historical loss data to help examine and actuarily affirm current pricing. What we know right now is that the pricing that underwriters are giving are subjective and highly dependent upon their individual judgment. Good and experienced underwriters develop premiums for exposures based upon receipts.
We know that pricing premium and underwriting is done with insuring agreements. If the insurance application indicated the client wants network and information security liability for $5 billion, then they will rate what network information security liability would be. If you want a communications and media liability as an insuring agreement, then there’ll be a premium charge and a limit established for the communications and media liability. If you want regulatory defense expense, there’ll be a premium charge and a rate that will be applied to the limits that apply for the regulatory defense.
What about crisis management, breach remediation, data restoration expenses, etc.?
Each insuring agreement has a premium that is charged based upon gross receipts that establishes, with the limit selected, what will be charged for that item. There may be separate limits or aggregate limits depending on the rating methodology used by the underwriter, like hazard rates with differentials.
Underwriters will then try to arrive at a rate. The rating structure may have different rate classifications or hazard classifications based on the size of the enterprise or number of employees. They will then add other significant elements from the initial application. It becomes very important that the client understand that this is a “warranty application” and they’re required to disclose information in order to get appropriate coverage.
Things Underwriters Look for
- Network security measures
- Support personnel policies, procedures, training programs
- Information security for the website PDFs
- Password control
- content information
- Contractual risk transfers
- Indemnification agreements
- Frequency of loss history
When It Comes to Coverage for Clients…
Understand that forms and policies like the commercial general liability, commercial property, EDP, and equipment breakdown won’t protect your client when it comes to cyber insurance. It’s very important to understand that standardized coverage forms are not going be useful.
A proper cyber or privacy insurance type program must not include only mono-line type coverage. It should include robust, multi-level coverages for first- and third-party exposures.
There’s a Lot to Unpack
Non-insurance transfer, insurance transfer, underwriting, and first- and third-party coverage… oh my! When it comes to cyber insurance, there’s a lot of information for agents to unpack.
Ready for more? Get the full story on Nat Alliance Now.
Stay tuned for part four of this series.