First a disclaimer: I am not an attorney, and I am not a cyber liability insurance expert. I am an insurance consumer. Anything I say here should be validated by your attorney, insurance agent, or other qualified professional before acting upon it. But this may help you start the conversation and understand the issues.
As an IT service provider, Buda Consulting manages and secures mission-critical databases for our customers. We do this on infrastructure owned or controlled by them. I have been asked recently by a few customers to show proof of cyber liability insurance to help cover them in the event of a data breach. After numerous conversations with my insurance agent and others, I have learned that there is a misconception about how this insurance is applied. In this post, I hope to help other service providers and customers understand when cyber liability insurance applies and how it relates to service providers. I hope it helps them have conversations about it and to ask the right questions.
Relevant types of insurance for Data Breaches
For the purposes of this discussion, there are two main types of insurance with respect to data breaches.
Cyber Liability Insurance
Cyber liability insurance protects a given organization from financial losses due to a data breach. This coverage protects the company from financial damage resulting from breaches that occur related to data they own or control and that is housed on servers or infrastructure owned and controlled by them (this is not specific language in the contract but I believe this is conceptually accurate). The key point is that it is about their own data, not other’s data that they are working on.
Errors and Omissions Insurance
Another type of insurance is Errors and Omissions insurance. IT Service providers like Buda Consulting hold this type of insurance in order to protect us from financial liability related to errors that we might make that result in financial losses to us or our customers.
There are different types of Errors and Omissions insurance. One type is Technology Errors and Omissions, which specifically deals with technical services. Some (not all) Technology Errors and Omissions policies include network security and privacy liability, referred to as Cyber coverage for 3rd parties.
So What Insurance Does a Service Provider Need?
If a service provider works on a customer’s server, and there is a data breach on that server, the customer’s cyber liability will apply. And if the service provider is at fault, the provider’s Errors and Omissions Insurance will apply – only if it is Technical E&O with Cyber coverage for 3rd parties.
Here are the key takeaways as I understand them:
- Even If the service provider carries Cyber Liability Insurance, it will not apply in the case of a breach of a customer’s infrastructure.
- It is critical that the service provider has Technical Errors and Omissions coverage that includes Cyber coverage for 3rd parties.
- A service provider may of course desire (or need) their own Cyber Liability Policy in order to protect them in the event of a breach of their own data, but this won’t help them with respect to the work they do for others.
- It is critical for customers to hold their own Cyber Liability Insurance even if their service providers hold Cyber Liability Insurance.
- I hope this helps with conversations you may have with your insurance agents, service providers, and customers.