Building Cyber Resilience into Vendor Contracts: Indemnification, Insurance and Security Clauses

by Kevin Neslage , U.S. Incident Response Claims Counsel

Professionals responsible for managing and defending against cyber risk likely recognize the importance of vendor management, but they may not recognize its importance to the placement of their organization’s cyber insurance. Resilience works to understand not only the cyber exposures from our clients’ critical vendors, but more importantly, how the they are set up to track and manage this risk. When working with clients to better shore up their vendor risk management we focus on three core areas that have shown to build cyber resilience against threats from vendors holding critical data:

  1. vetting new vendors based on their own security standards;
  2. monitoring existing vendors for compliance with client’s security requirements; and
  3. provisions covering each party’s obligations in the event of an incident.

Building a strong vendor risk management program is a team sport. On the business side, procurement must work with IT security on what controls should be placed on vendors that touch critical data, and with insurance buyers who need to ensure their contracts cover certain exposures like third-party SaaS vendors. This holistic approach to tackling vendor risk helps organizations build resilience to cyber threats ensuring that if your vendor does experience an incident, it will not result in a catastrophic loss.

While documentation alone is insufficient, it is critical to ensuring vendor compliance aligns with an organization’s security requirements. By baking provisions into contracts that can be audited they can be used for monitoring compliance and even negotiating a breakup if the vendor fails to uphold their end of the security trust relationship.

This article will examine three clauses that no purchaser should overlook when considering its own cyber risk in vendor contacts: security, indemnification, and insurance. Any contract will involve a certain amount of negotiation, but professionals involved in the vendor contracting process must consider these clauses that could have significant implications in the event of business email compromise, a ransomware attack, or other cyber incidents.

A purchaser should be warned that these clauses are not always neatly labeled in contract templates; they may be scattered across multiple pages or condensed into one long paragraph. Nevertheless, a good understanding of each topic can help purchasers protect their organization in a cyber incident.

Security clauses should go far enough to explain what happens in an incident

Many organizations are becoming more adept at ensuring that their vendor agreements include requirements that the vendor meets certain commercial cybersecurity standards, such as ISO 27000 series standards or the NIST Cybersecurity Framework. A buyer may also require a vendor to expressly warrant that it has certain security controls in place, such as multi-factor authentication, encrypted backup and recovery, or endpoint detection with automated threat response, among other possibilities.

If a vendor makes such representations, a buyer may also need to include the right to audit the vendor to ensure it meets the organization’s standards. While such an option can ensure higher standards from a vendor, performing the audits can also be costly and time-consuming. These terms are critical for a buyer to ensure that any shared data is secure and that its vendor can protect itself from cyber vulnerabilities. However, it is important to remember that even the most secure vendors can suffer a data breach or other incident. A good security clause will specify the vendor’s obligation to the buyer in the event of an incident.

One provision a buyer should include in the contract is that the vendor must notify the buyer within a certain period following the discovery of a data breach. This may be necessary if a buyer has certain legal obligations to notify its own customers, regulators, or insurers within a certain timeframe if a data breach occurs. Based on the organizational needs of a buyer, it may also be prudent to require a vendor to take certain actions as part of its incident response beyond simply notifying the buyer.

If a buyer has enough negotiating strength with a vendor, it could also consider even greater control requirements for any incident response. This could include the buyer consenting to any third-party vendors used as part of incident response, such as law firms or forensic investigators. If a security clause is so specific to contemplate details of how a vendor will handle response to a cybersecurity event, then parties should make sure that the terms agree with the terms of the vendor’s cyber insurance.

Indemnification clauses should correspond to the cyber risk exposure

The indemnification clause is one of the most important risk transfer clauses in any business agreement, cyber risk or otherwise. Indemnification clauses are generally written to provide indemnification for acts, errors, or omissions of the vendor that result in loss to the buyer. Many companies will use standard indemnification clauses, and those clauses may offer some protection from a vendor’s cyber risk. In many cases, however, an indemnification clause that fails to address cybersecurity risks can leave a buyer unprotected.

The indemnification clause should change based upon the nature of each party’s business, and a buyer needs to consider how it would be best protected by specific language concerning indemnification for loss arising from a data breach or cyber attack. For example, should a data breach result in the buyer’s legal obligation to notify customers, the parties should know whether the vendor will be responsible for managing the process or whether the buyer will retain control and be reimbursed by the vendor after it incurs costs itself. The specific terms of the agreement will likely depend on the sensitivity of the data and the extent of the vendor’s data regulation. Additionally, both parties should also draft the scope of the indemnification clause to match the coverage required in the separate insurance clause so that there are no gaps between what is indemnified and what is covered by insurance.

While it is not the same as an indemnification clause, vendors often include limitation-of-liability clauses in their standard form contracts, where the vendor’s liability is limited to the value of the services provided. Some vendors will even attempt to include liability disclaimers in their contracts, and buyers should avoid entering agreements with such clauses. The limitation language may be included in the indemnification clause or added as a separate clause. However, such a limitation may be grossly disproportionate in the cyber context where a vendor is earning fees in the tens of thousands. Still, data breach costs from the vendor’s inadequate security could easily reach seven figures.

An organization should negotiate to remove such limitations, as cyber risk at the vendor’s fault creates exposure to an organization that could extend to emergency response costs, data recovery, business interruption, and third-party liability, among others. Vendors are more likely to remove such clauses when they are adequately insured. However, even when a vendor is adequately insured, it is still important to make sure that any limitation-of-liability clause is removed or has been raised to acceptable limits, so that recovery by the buyer from the vendor’s insurer is not also limited in the event of a cyber incident.

Not only should an organization make clear that it should  be indemnified for a loss arising out of the vendor’s actions, but that it  should  also have the right to tender the defense of any third-party claims and the right to participate in and control the defense of the claims. In certain instances, a buyer may wish to include specific language that ensures this right also exists in the case of liability arising from a vendor’s data breach or cyber incident.

Insurance clauses must include and consider different types of cyber risk

The insurance clause in a vendor contract lays out the requirements for what insurance a vendor must carry and can ensure that a vendor can meet any potential indemnification obligations.

Plenty of pre-drafted insurance clauses will require a vendor to carry up to a certain amount of cyber, privacy, or network-liability insurance. However, the cyber insurance industry is relatively young, and not all products are created equal. This makes it important that the insurance clause in a vendor contract states the exact coverages it must acquire. The insurance clause should not only require liability coverage to protect the buyer but also first-party insurance coverage so that a vendor’s insurance provides breach response coverage and business interruption coverage to mitigate damages from a cyber incident. For certain contracts, buyers may also need the vendor to carry technology errors-and-omissions coverage. A buyer should work with their insurance broker to determine which lines of coverage should be sought in any vendor contract.

In addition to which lines of coverage are required by a vendor, the buyer should ensure the insurance limits carried by the vendor are adequate to indemnify the buyer in the event of any data or security breach catastrophe. And a buyer must not only consider whether that insurance would be adequate to indemnify itself but also indemnify any of the vendor’s other clients owed indemnity should the vendor suffer an attack affecting its entire business. Although such high limits may at times be unrealistic from a business perspective, a buyer should always be seeking that a vendor carries the highest limits possible.

In an ideal situation, an insurance clause in a vendor contract should include several terms, most of which would be the same when considering non-cyber risk.

  • First, a buyer is best protected by an insurance clause that requires that a vendor’s insurance coverage be primary and noncontributory. This means that the vendor’s policy will be the first to respond to a claim and must be exhausted before any other available coverage (such as a buyer’s policy) responds. It also means that the vendor’s carrier should be unable to seek contributions from the buyer’s insurance policy.
  • Second, a buyer should require a notice-of-cancellation provision that requires the vendor to notify the buyer within a specified period should the insurance required by the contract ever be canceled.
  • Third, in certain instances, it may be appropriate to demand that a vendor’s insurance policies include a waiver of subrogation, as it prevents the vendor’s insurance carrier from asserting claims for reimbursement from the buyer for third-party liability payouts.
  • Finally, a buyer should require a certificate of insurance to show proof of insurance rather than simply relying on a vendor’s own word that it has secured the contractually required insurance. In many instances, work does not begin under a contract until certificates of insurance are provided.

The provisions discussed above do not address every means of limiting cyber risk in a vendor contract, but cyber risk professionals should have a good understanding of how each of these provisions can help lower their organization’s own cyber risk exposure. And as always, the buyer should seek the legal advice of its internal counsel or outside counsel. An expert cybersecurity and privacy attorney can assist an insured in accomplishing the goals of ensuring its data is adequately protected, managed in compliance with applicable laws, and while reducing the organization’s own liability exposure. If you are a Resilience client and are looking for support managing your vendor risk, reach out to your policy contact about how we can help.

You might also like