Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/12/2009
03:28 PM
50%
50%

How To Protect Your Assets When Working With Third Parties

A number of insurance products protect against loss arising from IT-related risks

In our increasingly virtualized world, much of an organization's Personally Identifiable Information (PII) is stored electronically. The explosion of cloud computing or Software as a Service (SaaS) means organizations are more often using third party vendors to host and manage some or all of their sensitive data. Additionally, many SaaS or similar vendors are relatively new businesses, without much of a track record. Their longevity or liquidity cannot be presumed.

Most applicable data privacy and security laws will hold your organization equally liable for a breach whether it was your fault or that of your third party vendor. Risks of data loss, data corruption and data theft are of paramount concern. Such risks are not limited to the organization's actions or omissions, but increasingly those of its vendors. When the worst happens, how do you manage the financial cost of data losses?

IT professionals can help their organization better manage and reduce the financial risks when negotiating for IT services or products by understanding how insurance can help cover IT losses. Look for the insurance requirements in your vendor agreements, and know to what extent your organization may be able to cover some of these risks under its own insurance program. Insurance is usually handled by an organization's risk management department or outside agent, but it's important for the IT professional to have some understanding of the relevant types of IT insurance polices in order to craft appropriate insurance-related protection for their vendor agreements.

There are a number of different insurance products that may be available to protect against loss arising from IT-related risks. We'll cover several in the following discussion. Basically, there is insurance within your own organization and then the insurance that vendors will provide.

Commercial Property Insurance is your organization's standard policy that may cover data loss. However, these policies often only provide coverage for reconstruction of lost data if there has been an actual physical damage to the systems holding the data. Cyber Liability Insurance will potentially provide protection against a wide range of losses arising from cyber-related risks. These policies are often written in a "menu" format, where the insured can pick and choose from a number of different coverage types.

Most cyber insurance policies will cover damages arising from unauthorized access to a computer system, theft or destruction of data, hacker attacks, denial of service attacks and malicious code. Some policies also cover privacy risks like security breaches of personal information and may apply to violations of state and federal privacy regulations. Reimbursement for crisis management expenses may also be an option, such as legal and public relations expenses. Policies may include business interruption coverage if you lose revenue after an attack or if your vendor is shut down by an attack or goes out of business.

On the vendor end, Technology Errors and Omissions Liability Insurance will be the primary form of liability insurance your vendor should have to cover damages you or others may suffer as a result of its negligence. It provides coverage for claims arising from its professional IT services. For example, it covers claims by third parties that are based on programming errors, software performance or, in some cases, the vendor's services failing to work as warranted in an agreement. Without this coverage, your vendor lacks insurance coverage for liability associated with its IT services or products.

Language in agreements should clearly specify the insurance expectations that you have for the vendor. Although these will vary based on the services that are provided by any particular vendor, the following is a sample of what to look for.

Required Insurance Coverage means that the vendor shall obtain, pay for and maintain Professional liability (Technology Errors and Omissions or other Cyber-Liability Insurance) in full force and effect during the term of any agreement. Vendors need to provide an actual copy of the insurance policy prior to the activation of any agreement with all dates and coverage terms clearly stated. Many vendors may hesitate to provide a full copy of their policy. However, given that these policies are not standardized and provide (or exclude) a wide variety different coverage, it is critical to obtain a copy of the policy and to review it to ensure that it actually provides coverage for loss arising from the services that the vendor is providing under the agreement.

Claims Made Coverage defines the extent to which any insurance coverage required is maintained on a "claims-made" basis, such insurance shall cover all acts, errors or omissions on the part of the vendor during the term of the agreement. It should be continuously maintained following the expiration or termination of the agreement, assuming damages and claims might be made well after the agreement expires. This is known as "tail coverage." Most of the protection against third party suits provided under Technology Errors and Omissions and/or Cyber Liability policies will be provided on a "claims-made" basis (i.e., it will only cover claims made while the policy is in force). For this reason, it's critical to ensure that the vendor maintains the coverage in force not only during the term of the Agreement, but provides tail coverage for at least two to three years afterward, if not longer. Certificates of Insurance are evidence for all coverage agreed upon and should be furnished to the customer before the agreement is activated. The IT professional does not have to be an expert in insurance; however, being familiar with the types of insurance available and the limitations of each can help the IT department ensure that the organization is in the best position possible to protect its valuable assets.

Christopher C. Cain is a partner with the law firm of Foley & Lardner LLP, practicing in the firm's Information Technology & Outsourcing practice. He routinely counsels clients on the legal, technical and transactional issues arising in technology transactions. Ethan Lenz, CPCU, is a partner in the firm's Insurance Industry practice and has extensive experience providing risk management and insurance coverage-related advice to commercial clients, including in the context of IT agreements. They can be reached at [email protected] and [email protected], respectively.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7734
PUBLISHED: 2020-09-22
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
CVE-2020-6564
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
CVE-2020-6565
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2020-6566
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2020-6567
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.