cyber resilience framework
Threatonomics

Cyber Resilience in Vendor Contracts

Indemnification, Insurance and Security Clauses

by Kevin Neslage , U.S. Incident Response Claims Counsel
Published

Professionals responsible for managing and defending against cyber risk likely recognize the importance of vendor management, but they may not recognize its importance to the placement of their organization’s cyber insurance. Resilience works to understand not only the cyber exposures from our clients’ critical vendors, but more importantly, how the they are set up to track and manage this risk. When working with clients to better shore up their vendor risk management we focus on three core areas that have shown to build cyber resilience against threats from vendors holding critical data:

  1. vetting new vendors based on their own security standards;
  2. monitoring existing vendors for compliance with client’s security requirements; and
  3. provisions covering each party’s obligations in the event of an incident.

Building a strong vendor risk management program is a team sport. On the business side, procurement must work with IT security on what controls should be placed on vendors that touch critical data, and with insurance buyers who need to ensure their contracts cover certain exposures like third-party SaaS vendors. This holistic approach to tackling vendor risk helps organizations build resilience to cyber threats ensuring that if your vendor does experience an incident, it will not result in a catastrophic loss.

While documentation alone is insufficient, it is critical to ensuring vendor compliance aligns with an organization’s security requirements. By baking provisions into contracts that can be audited they can be used for monitoring compliance and even negotiating a breakup if the vendor fails to uphold their end of the security trust relationship.

This article will examine three clauses that no purchaser should overlook when considering its own cyber risk in vendor contacts: security, indemnification, and insurance. Any contract will involve a certain amount of negotiation, but professionals involved in the vendor contracting process must consider these clauses that could have significant implications in the event of business email compromise, a ransomware attack, or other cyber incidents.

A purchaser should be warned that these clauses are not always neatly labeled in contract templates; they may be scattered across multiple pages or condensed into one long paragraph. Nevertheless, a good understanding of each topic can help purchasers protect their organization in a cyber incident.

Professionals responsible for managing and defending against cyber risk likely recognize the importance of vendor management, but they may not recognize its importance to the placement of their organization’s cyber insurance. Resilience works to understand not only the cyber exposures from our clients’ critical vendors, but more importantly, how the they are set up to track and manage this risk. When working with clients to better shore up their vendor risk management we focus on three core areas that have shown to build cyber resilience against threats from vendors holding critical data:

  1. Vetting new vendors based on their own security standards;
  2. Monitoring existing vendors for compliance with client’s security requirements; and
  3. Provisions covering each party’s obligations in the event of an incident.

Building a strong vendor risk management program is a team sport. On the business side, procurement must work with IT security on what controls should be placed on vendors that touch critical data, and with insurance buyers who need to ensure their contracts cover certain exposures like third-party SaaS vendors. This holistic approach to tackling vendor risk helps organizations build resilience to cyber threats ensuring that if your vendor does experience an incident, it will not result in a catastrophic loss.

While documentation alone is insufficient, it is critical to ensuring vendor compliance aligns with an organization’s security requirements. By baking provisions into contracts that can be audited they can be used for monitoring compliance and even negotiating a breakup if the vendor fails to uphold their end of the security trust relationship. 

This article will examine three clauses that no purchaser should overlook when considering its own cyber risk in vendor contacts: security, indemnification, and insurance. Any contract will involve a certain amount of negotiation, but professionals involved in the vendor contracting process must consider these clauses that could have significant implications in the event of business email compromise, a ransomware attack, or other cyber incidents. 

A purchaser should be warned that these clauses are not always neatly labeled in contract templates; they may be scattered across multiple pages or condensed into one long paragraph. Nevertheless, a good understanding of each topic can help purchasers protect their organization in a cyber incident.  

Security clauses should go far enough to explain what happens in an incident

Many organizations are becoming more adept at ensuring that their vendor agreements include requirements that the vendor meets certain commercial cybersecurity standards, such as ISO 27000 series standards or the NIST Cybersecurity Framework. A buyer may also require a vendor to expressly warrant that it has certain security controls in place, such as multi-factor authentication, encrypted backup and recovery, or endpoint detection with automated threat response, among other possibilities.

If a vendor makes such representations, a buyer may also need to include the right to audit the vendor to ensure it meets the organization’s standards. While such an option can ensure higher standards from a vendor, performing the audits can also be costly and time-consuming. These terms are critical for a buyer to ensure that any shared data is secure and that its vendor can protect itself from cyber vulnerabilities. However, it is important to remember that even the most secure vendors can suffer a data breach or other incident. A good security clause will specify the vendor’s obligation to the buyer in the event of an incident.

One provision a buyer should include in the contract is that the vendor must notify the buyer within a certain period following the discovery of a data breach. This may be necessary if a buyer has certain legal obligations to notify its own customers, regulators, or insurers within a certain timeframe if a data breach occurs. Based on the organizational needs of a buyer, it may also be prudent to require a vendor to take certain actions as part of its incident response beyond simply notifying the buyer.

If a buyer has enough negotiating strength with a vendor, it could also consider even greater control requirements for any incident response. This could include the buyer consenting to any third-party vendors used as part of incident response, such as law firms or forensic investigators. If a security clause is so specific to contemplate details of how a vendor will handle response to a cybersecurity event, then parties should make sure that the terms agree with the terms of the vendor’s cyber insurance.

Indemnification clauses should correspond to the cyber risk exposure

The indemnification clause is one of the most important risk transfer clauses in any business agreement, cyber risk or otherwise. Indemnification clauses are generally written to provide indemnification for acts, errors, or omissions of the vendor that result in loss to the buyer. Many companies will use standard indemnification clauses, and those clauses may offer some protection from a vendor’s cyber risk. In many cases, however, an indemnification clause that fails to address cybersecurity risks can leave a buyer unprotected.

The indemnification clause should change based upon the nature of each party’s business, and a buyer needs to consider how it would be best protected by specific language concerning indemnification for loss arising from a data breach or cyber attack. For example, should a data breach result in the buyer’s legal obligation to notify customers, the parties should know whether the vendor will be responsible for managing the process or whether the buyer will retain control and be reimbursed by the vendor after it incurs costs itself. The specific terms of the agreement will likely depend on the sensitivity of the data and the extent of the vendor’s data regulation. Additionally, both parties should also draft the scope of the indemnification clause to match the coverage required in the separate insurance clause so that there are no gaps between what is indemnified and what is covered by insurance.

While it is not the same as an indemnification clause, vendors often include limitation-of-liability clauses in their standard form contracts, where the vendor’s liability is limited to the value of the services provided. Some vendors will even attempt to include liability disclaimers in their contracts, and buyers should avoid entering agreements with such clauses. The limitation language may be included in the indemnification clause or added as a separate clause. However, such a limitation may be grossly disproportionate in the cyber context where a vendor is earning fees in the tens of thousands. Still, data breach costs from the vendor’s inadequate security could easily reach seven figures.

An organization should negotiate to remove such limitations, as cyber risk at the vendor’s fault creates exposure to an organization that could extend to emergency response costs, data recovery, business interruption, and third-party liability, among others. Vendors are more likely to remove such clauses when they are adequately insured. However, even when a vendor is adequately insured, it is still important to make sure that any limitation-of-liability clause is removed or has been raised to acceptable limits, so that recovery by the buyer from the vendor’s insurer is not also limited in the event of a cyber incident.

Not only should an organization make clear that it should  be indemnified for a loss arising out of the vendor’s actions, but that it  should  also have the right to tender the defense of any third-party claims and the right to participate in and control the defense of the claims. In certain instances, a buyer may wish to include specific language that ensures this right also exists in the case of liability arising from a vendor’s data breach or cyber incident.

Insurance clauses must include and consider different types of cyber risk

The insurance clause in a vendor contract lays out the requirements for what insurance a vendor must carry and can ensure that a vendor can meet any potential indemnification obligations.

Plenty of pre-drafted insurance clauses will require a vendor to carry up to a certain amount of cyber, privacy, or network-liability insurance. However, the cyber insurance industry is relatively young, and not all products are created equal. This makes it important that the insurance clause in a vendor contract states the exact coverages it must acquire. The insurance clause should not only require liability coverage to protect the buyer but also first-party insurance coverage so that a vendor’s insurance provides breach response coverage and business interruption coverage to mitigate damages from a cyber incident. For certain contracts, buyers may also need the vendor to carry technology errors-and-omissions coverage. A buyer should work with their insurance broker to determine which lines of coverage should be sought in any vendor contract.

In addition to which lines of coverage are required by a vendor, the buyer should ensure the insurance limits carried by the vendor are adequate to indemnify the buyer in the event of any data or security breach catastrophe. And a buyer must not only consider whether that insurance would be adequate to indemnify itself but also indemnify any of the vendor’s other clients owed indemnity should the vendor suffer an attack affecting its entire business. Although such high limits may at times be unrealistic from a business perspective, a buyer should always be seeking that a vendor carries the highest limits possible.

In an ideal situation, an insurance clause in a vendor contract should include several terms, most of which would be the same when considering non-cyber risk.

  • First, a buyer is best protected by an insurance clause that requires that a vendor’s insurance coverage be primary and noncontributory. This means that the vendor’s policy will be the first to respond to a claim and must be exhausted before any other available coverage (such as a buyer’s policy) responds. It also means that the vendor’s carrier should be unable to seek contributions from the buyer’s insurance policy.
  • Second, a buyer should require a notice-of-cancellation provision that requires the vendor to notify the buyer within a specified period should the insurance required by the contract ever be canceled.
  • Third, in certain instances, it may be appropriate to demand that a vendor’s insurance policies include a waiver of subrogation, as it prevents the vendor’s insurance carrier from asserting claims for reimbursement from the buyer for third-party liability payouts.
  • Finally, a buyer should require a certificate of insurance to show proof of insurance rather than simply relying on a vendor’s own word that it has secured the contractually required insurance. In many instances, work does not begin under a contract until certificates of insurance are provided.

The provisions discussed above do not address every means of limiting cyber risk in a vendor contract, but cyber risk professionals should have a good understanding of how each of these provisions can help lower their organization’s own cyber risk exposure. And as always, the buyer should seek the legal advice of its internal counsel or outside counsel. An expert cybersecurity and privacy attorney can assist an insured in accomplishing the goals of ensuring its data is adequately protected, managed in compliance with applicable laws, and while reducing the organization’s own liability exposure. If you are a Resilience client and are looking for support managing your vendor risk, reach out to your policy contact about how we can help.

About the Author
Kevin Neslage , U.S. Incident Response Claims Counsel

Kevin Neslage is a member of the claims team at Resilience Insurance, where he assists insureds through all aspects of the claims process. His primary focus is on incident response, assisting insureds in quickly reacting to a cyber event by utilizing the resources in their cyber insurance policy. In addition, Kevin engages with insureds proactively through Resilience’s unique insured onboarding program, where he joins the Resilience security team in explaining cyber coverage to insureds and advising insureds on specific steps they can take to improve their cyber hygiene. Kevin is an attorney and a certified information privacy professional in both Canada and the US (CIPP/C/US) with the IAPP. Before joining Resilience, Kevin worked as an insurance coverage attorney at some of the largest U.S. and international law firms.

You might also like

Resilience Threat Researchers Identify New Campaigns from Scattered Spider

Following their attacks on MGM and Caesars’ casinos, threat actor group Scattered Spider is believed to be behind attacks on multiple companies in the finance and insurance industries. Using convincing lookalike domains and login pages as well as efficiently timed attacks, the group is aggressively targeting a wider array of companies. We have also observed […]

Breach and Attack Simulations: A Proactive Approach to Loss Prevention 

Today’s CISOs and risk managers need to see around corners to proactively reduce risks before they turn into losses. Increasingly, CISOs also answer directly to the board of directors. No matter how tight you think your controls are or how big your budget is, I promise you things are happening in your environment that you […]

Seven Essential Steps to Vulnerability Management: Learnings from the Ivanti Exposures  

In light of the most recent Ivanti vulnerability, the importance of a robust vulnerability management strategy and incident response plan has never been clearer.  The Ivanti vulnerabilities, particularly CVE-2024-22024, unveiled on February 8th, 2024, serve as a stark reminder of the relentless nature of cyber threats. These vulnerabilities, which allow unauthenticated, remote attackers to access […]

Five Predictions on the State of Cyber Claims in 2024

Unravel the complexities of cyber risk with the 2023 Mid-Year Claims Report by Resilience. Dive into our analysis and predictions for the cyber insurance industry in 2024, including the pivotal role of AI and regulatory changes.

Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response

After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the […]