3 Questions to Determine If You Can Transfer Cyber Risk Contractually
Why you need a specific policy for cyber or privacy risk management
by Brian Heun
March 12, 2019
As breaches and other cyber attacks grow in number and magnitude, construction businesses are trying to push risk to others contractually. To understand this strategy, start by answering the following questions:
1. Can your construction business obtain additional insured status from your vendor or client’s policy?
While the short answer will typically be “yes,” it will only be for vicarious liability. Vicarious liability refers to a situation in which some person or organization is held responsible for actions or omissions committed by another person or organization. Privacy law is very clear when it comes to ownership of personally identifiable records. If your data has been breached, you are responsible and liable for it regardless of who is hosting or holding the data.
2. If your construction business can obtain additional insured status and transfer the risk contractually (varies by state), do you need to purchase a cyber insurance policy?
There are several reasons your construction business should maintain its own cyber coverages, even if you have successfully obtained additional insured status from others:
Cyber policies if properly structured provide first party coverages such as extortion and business interruption coverage, which is not liability coverage.
Relying on additional insured status is unreliable because it requires clear evidence the vendor or client is directly responsible for the breach. If circumstances are unclear, or either party is not solely responsible, the vendor or client’s carrier may fight the requirement to cover your losses.
Even if you are granted additional insured status, many carriers limit the coverage to a fraction of the overall coverage granted by the policy. Many carriers will grant additional insured status only for third-party claims, and not for breach response costs, regulatory hearings or other coverage agreements.
Most companies do not have the process, resources or expertise to evaluate the coverage and/or exclusions provided by the additional insured policy and how it might respond in their defense.
In the event of a claim, it is always best to control the claim as a named insured, rather than as an additional insured.
3. The “Other Insurance Clause” is a provision identifying what occurs in the event multiple different policies are available to pay a specific claim. Is there a single answer as to how this clause will react in a claim situation involving an additional insured?
There is no single answer. Each cyberpolicy has different and customizable terms and conditions. No policy is the same. Your company should review the terms and conditions of its own policy and preferably your vendor’s policy, although this may prove difficult.
The vast majority of policies have a default "Other Insurance Clause." This default states, “this policy is in excess over other valid and collectible insurance.” But what if you have a contract with a vendor and gain additional insured status on its policy, but both policies have the other insurance clause described above? You would effectively have both insurance companies pointing at one another. The insured organization would find itself in the middle, with no defense or coverage. It would require a lot of time and coverage litigation between the insurance carriers to determine who is responsible to pay the lion’s share of the claim.
If your construction business already has a cyberpolicy, and requests additional insured status on your vendor’s policy, and both policies trigger in response to a claim, you could find yourself in a long, drawn-out litigation between both carriers. A better alternative is to have your insurance program respond expeditiously to your cyberclaim. It would be wise to amend your policy’s other insurance clause if you seek to gain additional insured status on a vendor’s policy.
While transferring risk contractually remains the least expensive way to transfer risk, it can also in situations described here be the most effective way to transfer risk. Contractual transfer remains a best practice regardless of the type of risk—cyber or otherwise. Insurance is the most expensive, but often most effective, way to transfer cyberrisk.
When it comes to cyber/privacy liability, your organization should consider purchasing its own policy to avoid the damage to a balance sheet or brand reputation which could occur without securing its own coverage.