Contract obligations, third parties and cyber insurance

John Southrey, Director of Product Development & Consulting Services for the Texas Medical Liability Trust, explains what you need to understand about third-party contracts and cyber insurance to make better decisions

1 2 Page 2
Page 2 of 2

In some liability policies, the definition of Who Is Insured automatically includes other types of insureds, such as an agent or independent contractor while acting on behalf of the Named Insured. (Note this typically will not cover the agent or independent contractor’s sole negligence, which is why they need their own insurance policy in their name.) It may also include, as an insured, any person or legal entity the Named Insured is required by written contract to provide such coverage. That’s why, if an Indemnitee is looking for defense and liability protection from an Indemnitor’s insurer, they should obtain documentation that the required coverage for the Indemnitee was actually obtained.

Even if the Indemnitor’s contractually-assumed tort liability is accepted by the Indemnitor’s insurer, the insurer is not going to start issuing payments for breach expenses without investigating their insured’s responsibility for the breach and the reasonableness of those expenses.

How can security leaders tell if the broker or agent they are talking with has a grasp on the nuance of cyber liability insurance?

One way of knowing if an insurance agent/broker is familiar with the ins and outs of cyber insurance is to ask them directly. Specifically, do they understand the various coverage grants and “Who Is Insured” in these policies because cyber insurance coverage forms are not standardized—making it difficult for both the client and agents/brokers to differentiate them.

Another good indicator is if the agent addresses the importance of having both cyber risk management and cyber liability coverage, the latter as a financial backstop should a covered loss event occur.

Additionally, you want an agent who asks for copies of your contracts to look for any stipulated insurance requirements and indemnification provisions. Some contracts stipulate insurance requirements such as maintaining “professional liability insurance” (a generic term that can include an array of coverage forms) including naming a party/Indemnitee as an Additional Insured to the insurance policy. This latter requirement may provide a financial “safety net” for the Indemnitee in case the hold harmless agreement is deemed unenforceable.

In such cases, you should ask your insurance agent/broker to determine if you have the appropriate coverage in place. Agents can’t provide legal advice or opinions, unless they’re a licensed attorney. But they do need to know if their client’s coverage comports with their contractual risk transfer obligations and to look for potential coverage issues, as well as to determine if the client is adequately protected. So an agent’s contract review will be limited to whether the client’s proposed or current insurance program addresses the types and amounts of insurance coverage referenced, if any, and to evaluate the client’s ability to transfer and retain risk.

There will be uncertainties in some situations about the role insurance may play in supporting contractual risk transfer. Depending upon the coverage provisions, it may provide the funding of liabilities assumed by contract, but perhaps not all of them. There is always some retained risk.


Copyright © 2017 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)