November 02, 2015 Articles

The Open Port: Insuring Third-Party Cyber Risks

Enhanced and ever-evolving cyber risks are the natural corollary to our increasing dependence on technology—hackers, disruption of service, compromised confidentiality of trade secrets and intellectual property, loss or theft of financial data, and publication of personally identifiable information are modern day realities

by Amy Stewart and Tarron Gartner-Ilai

In today’s world, information technology drives the global economy. Imbedded in our insatiable appetite for newer and better technology are enhanced, and ever-evolving, cyber risks. Hackers, disruption of service, compromised confidentiality of trade secrets and intellectual property, loss or theft of financial data, and publication of personally identifiable information are modern-day realities. Balancing the value of information sharing against the cost of information management is no easy task.

As information technology (IT) becomes increasingly specialized, more and more businesses—from large corporations to small family-owned firms—are outsourcing various IT and cybersecurity functions. Data storage, website design and maintenance, and data and credit card processing are all commonly outsourced functions. Although reputable vendors are prioritizing security, the outsourcing of IT and related functions adds additional layers of risk to the already-complex cyber risk landscape. Even non-IT vendor relationships affect the company’s cyber risks. Consider the Target, Home Depot, and Goodwill breaches. The Target breach began as a malware-laced phishing campaign, directed at Target’s heating, ventilation, and air conditioning vendor, which gave hackers access to Target network credentials and allowed them to breach the nationwide system.[1] Home Depot experienced an almost identical attack less than a year later,[2] while Goodwill’s internal system was infiltrated undetected for almost 18 months through a retail point-of-sale vendor.[3]

As data breaches continue to dominate the headlines, corporate America is working to understand and better manage cyber risks. With this heightened focus on cyber risk management, the insurance industry has seen an increase in the purchase of cyber coverage. In 2014, procurement of cyber policies rose 32 percent among U.S.-based clients of mammoth brokerage firm Marsh & McLennan, and early quarter statistics projected similar growth in 2015.[4]

In connection with corporate efforts to shift cyber risks to insurers, both directly and through service agreements, vendor relationships merit deliberate consideration. This article focuses on the interplay between cyber risks associated with third-party vendor relationships and the applicability of insurance to those risks, from the perspective of the corporate policyholder.

Risks Rooted in the Company-Vendor Relationship

Outsourcing ancillary—or even central—business functions can provide a cost-effective way to keep a corporate entity running on all cylinders. When a vendor becomes the conduit for a large-scale cyber attack, however, a relationship once profitable to both parties may degrade into a finger-pointing match over millions.

If the insured company has outsourced data management, data storage, or data processing, the associated cyber risks are real. In an outsourcing scenario, confidential information is likely entrusted to a third-party provider that may have access to or control over the data and the systems on which the data reside. The third party may own or operate some or all of the systems on which the company conducts core business functions. Even non-IT vendors with access to the company’s systems and confidential data bring cyber risks to the service relationship, as evidenced by the Target and Home Depot data breaches. As a result of these sometimes complex responsibility-sharing relationships, the company and its vendors may have overlapping liability exposure for data security and for a breach or other security event. 

The company-vendor relationship will typically be documented in a written service contract that allocates risk, responsibility, and insurance obligations according to the parties’ agreement. While business partners routinely enter into such agreements, the implications for modern-day cyber risks are complex and must be analyzed carefully at the outset of the relationship (or on renewal if the relationship is already under way).

Consider the recently publicized breach of Cottage Health Systems, which exposed more than 30,000 patients’ private health information online.[5] In the class action litigation that ensued, the plaintiffs alleged the breach occurred because Cottage or a third-party vendor, INSYNC Computer Solution, Inc., or both, stored medical records on a computer system that was fully accessible via the Internet but failed to install encryption devices or take other security measures to protect patient information.[6]

Shortly after the class action was initiated, Cottage notified its cyber insurer, Columbia Casualty (CNA), which agreed to fund both the defense of the underlying claims and the $4.1 million class action settlement, subject to a full reservation of rights.[7] CNA subsequently filed a declaratory judgment action for reimbursement of the defense and settlement costs it paid, citing an exclusion in the policy that precluded coverage for “failure to follow minimum required standards.” CNA pointed to the “Risk Control Self Assessment” within Cottage’s insurance application (which included several questions regarding third-party security standards), maintaining that Cottage provided false responses. 

CNA’s complaint also touched on a practical issue of great consequence; the vendor did not “maintain sufficient liquid assets to contribute towards the proposed settlement fund and does not maintain liability insurance that applies with respect to the privacy claims asserted in the Underlying Action.”[8]

Although the Cottage Health System coverage litigation was later dismissed due to an alternative dispute resolution clause in the policy,[9] it highlights important considerations for assessing vendor arrangements proactively in connection with cyber exposures. The risks are palpable and the stakes are high. The company’s efforts to manage those risks by shifting payment responsibilities to a vendor or insurer will be more effective with careful planning and the use of clear language in documents that purport to reflect the parties’ agreements.

Cyber Insurance for Vendor-Related Risks

Equipped with a general understanding of the potential risk scenarios it faces, the company is better prepared to analyze the sufficiency of the available cyber coverage. If the company has cyber insurance, it will be covered for a data breach or other cyber event under its own cyber policy, subject to the terms, conditions, and exclusions of the policy.

To the extent the vendor agreement imposes insurance obligations on the vendor, the company’s ability to control the scope of coverage is limited even though the risks associated with the vendor’s operations may be significant. The considerations outlined below provide a starting point for evaluating the available insurance coverage for a cyber event implicated by a vendor relationship as part of the company’s cyber risk management.

Insured status. Insured status for purposes of the company’s own cyber insurance should not be complicated because the policy is intended to cover the company. The company should analyze the policy definition of “insured” to ensure the form definition meets its needs, particularly with respect to subsidiaries, and should request an endorsement to add additional named insureds as appropriate.

In the context of its vendor relationships, the company may also expect to be insured under its vendors’ cyber policies. Cyber policies providing security and privacy liability coverage may define “insured” to include entities the named insured is required by contract to add as an insured, but the coverage is often limited to liability for the vendor’s conduct. For example, the Security and Privacy Coverage Section of AIG’s 2013 CyberEdge policy form defines “insured” to include

any entity which a Company [the vendor in our analysis] is required by contract to add as an Insured under this Security and Privacy Coverage Section, but only for the acts of such Company [the vendor] that result in a Security Failure or a Privacy Event.[10]

This definition of “insured” generally extends coverage to the additional insured only to the extent it has vicarious liability for conduct of the vendor that is otherwise covered under the policy. If the service agreement between the company and the vendor requires the vendor to indemnify the company only against the vendor’s own acts, errors, and omissions, this policy language aligns with the scope of the indemnity agreement (assuming the policy provides the expected scope of coverage). If, on the other hand, the vendor service agreement imposes on the vendor an obligation to indemnify the company against any liability or damages stemming from the operations managed or controlled by the vendor regardless of fault, the coverage provided by the CyberEdge policy form may fall short of insuring all of the vendor’s exposure under the contract. If applicable law permits the company to require indemnification by the vendor regardless of fault, the parties’ agreement to this effect should be plainly stated in the service agreement, along with parallel insurance requirements.

Covered networks. The extent of coverage under a cyber policy may turn (in part) on the policy’s definition of “computer system,” “network,” or some equivalent term. If “computer network” is defined to include only systems within the named insured’s ownership or control, a breach that occurs on the vendor’s side may not be covered by the company’s policy.

Other cyber policies better contemplate the realities of outsourced technology functions, defining the insured “systems” to include leased or outsourced operations. As an example, consider this standard definition from the 2009 Security and Privacy Coverage Section form of AIG’s Specialty Risk Protector policy:

Computer System” means any computer hardware, software or any components thereof that are under the ownership, operation or control of, or that are leased by, a Company and are linked together through a network of two or more devices accessible through the Internet, internal network or connected with data storage or other peripheral devices.[11]

This language specifically contemplates coverage for cyber events involving leased networks or computer systems, even if the company does not own, operate, or control the system.

Another version of the Specialty Risk Protector policy, called CyberEdge Security and Privacy Liability Insurance,[12] expressly provides in its 2013 form that “computer system” includes third-party hosted resources as long as the hosted services are provided pursuant to a written contract with the insured company. The policy language also specifies more particularly the broad functions contemplated by the coverage:

Computer System” also means “cloud computing” and other hosted resources operated by a third party service provider for the purpose of providing hosted computer resources to a Company as provided in a written contract between such third party and a Company.[13]

By comparison, Beazley’s Information Security and Privacy form further details the scope of the covered vendor role through its definition of “computer systems”:

Computer Systems” means computers and associated input and output devices, data storage devices, networking equipment, and back up facilities:
1.      operated by and either owned or leased to the Insured Organization; or
2.      systems operated by a third party service provider and used for the purpose of providing hosted computer application services to the Insured Organization or for processing, maintaining, hosting or storing the Insured Organization’s electronic data, pursuant to written contract with the Insured Organization for such services.[14]

Both the AIG and Beazley forms extend coverage to hosted resources, while the Beazley form specifically references processing, maintenance, hosting, and storage functions as well. Other cyber policies define covered subcontracted technology functions more broadly, like the ACE Privacy Protection, Privacy & Network Liability Insurance Policy:

Insured’s Computer System” means a “Computer System”:

    1.  leased, owned, or operated by the Insured; or
    2.  operated for the benefit of the Insured by a third party service provider under written contract with the Insured.[15]

The ACE policy’s “operated for the benefit of the Insured” language contemplates an extension of coverage to any vendor systems that are operated for the benefit of the company. The particular vendor role or function is not defined; the provision merely requires a written contract between the company and vendor. Under this language, the policy would appear to cover vendor systems implicated in a cyber event, even where the vendor merely retains some functional access to the company’s internal system.

Where the company outsources business-critical functions, the significant risks associated with those outsourced operations may merit a manuscript endorsement to eliminate uncertainty about coverage under the company’s own policy. Such an endorsement might also address other insurance issues that arise if a cyber event triggers both the company’s own policy and one or more vendor policies.

Beyond the company’s own policy, coverage for company losses in the event of a system outage or failure originating on the vendor side may be important. For example, a vendor’s cyber policy may address conduit liability, such as Chubb’s ForeFront Portfolio 3.0 CyberSecurity Coverage Part:

Conduit Liability means loss sustained or allegedly sustained by a natural person or an entity because a System cannot be used, or is impaired, resulting directly from:

(A) a Cyber-attack into an Insured’s System, provided such Cyber-attack was then received into a third party’s System; or

(B)  a natural person or an entity who has accessed a System without authorization, through an Insured’s System,

provided such transmission or access occurred on or after the Retroactive Date and before the end of the Policy Period.[16]

Separate and apart from the vendor’s indemnity obligations, this coverage would apply to the vendor’s liability to the company associated with a cyber attack that occurs through the vendor’s system and impairs the company’s systems.

Requisite cyber coverages. Because cyber insurance is not standardized, the scope of coverage can vary widely from insurer to insurer and even from policy to policy. Subject to pricing constraints, the company is better able to control the scope of coverage under its own policy. The scope of coverage under vendor policies, on the other hand, is more difficult to monitor or control. When a third-party service agreement mandates the purchase of general liability insurance, the parties generally know what to expect. Absent standardization in the cyber market, merely requiring the vendor to obtain a “cyber policy” may not provide the protection the company envisioned when negotiating the vendor agreement. The company can begin to address these concerns by specifically identifying the types of cyber insurance the vendor is expected to provide.

While the specific nature of the vendor relationship will drive the insurance requirements, the vendor agreement should require the particular cyber coverages the company expects the vendor to maintain. Security and privacy liability insurance covers exposure to others in the event of a breach, but event management coverage may need to be purchased separately to cover expenses associated with a data breach. While some cyber policies combine these coverages in a single insuring agreement, the organization of the cyber policy matters less than the presence of the specified coverages, and the vendor agreement should clearly articulate the company’s expectations. Coverage for regulatory investigations and proceedings may be a separate coverage, depending on how the policy is structured. And coverage for system failures, outages, or interruptions is usually provided separately.

Consider a situation where the company relies on a vendor to transact business on behalf of the company using the vendor’s own network. If a security failure shuts down the vendor’s operations for a period of time, the company may experience an economic loss—lost profits and other expenses—as a result of the vendor’s inability to conduct business on behalf of the company. The company may have its own network interruption coverage (the cyber counterpart to business interruption insurance), which may respond if the definition of “system” or “network” is sufficiently broad to extend to the vendor’s network. The company may be an additional insured on the vendor’s network interruption policy, if the vendor maintains that coverage. Or the company may assert claims against the vendor that would trigger the vendor’s cyber liability coverage. If the company expects the vendor to bear the cost of insuring these specific risks, however, the service agreement should make that clear.

Ultimately, the insurance coverage procured by the vendor should dovetail with the risks and responsibilities assumed by the vendor in the service agreement (particularly if the vendor lacks sufficient assets to honor its indemnity obligations to the company without insurance protection).

Company-Vendor Disputes

When disputes arise between the company and a vendor, the company has a keen interest in knowing the vendor will be able to satisfy an adverse judgment for the company’s damages. The vendor’s liability for professional negligence (acts, errors, and omissions in the rendition of professional services) or a cyber event may be covered by insurance, which becomes particularly important if the vendor has insufficient assets to cover its direct liability to the company.

Travelers v. Federal Recovery Services, Inc. One of the first decisions interpreting a cyber policy involves a problematic vendor relationship, arising from an electronic-payment-processing vendor’s refusal to release data under its control.[17] Federal Recovery Services, Inc. (FRS) is a data-processing vendor that handles electronic payment transactions. In connection with these services, FRS stores and transmits electronic data, including personal identification information, used to process payments.

The underlying plaintiff, Global Fitness Holdings LLC, owned and operated fitness facilities in several states and contracted with FRS to handle electronic payments from gym members. Pursuant to the service agreement, Global uploaded member account and billing information to FRS’s encrypted website. FRS processed member payments and transferred the funds to Global after deducting its fee.

During the course of the vendor relationship, Global asked FRS to surrender the payment data for inclusion in an asset purchase by LA Fitness. The relationship soured when FRS withheld the data, refusing to turn it over until Global met certain demands. Global sued FRS for withholding the data, asserting claims for conversion, tortious interference, and breach of contract.

FRS was insured by Travelers under a CyberFirst Policy, which provided technology errors and omissions coverage. The policy defined “errors and omissions wrongful act” only to mean “any error, omission or negligent act.”[18] In the coverage litigation, Travelers argued it had no duty to defend FRS against allegations that it wrongfully withheld property belonging to Global. FRS argued in response that Travelers’ position made erroneous assumptions about FRS’s intent to injure and that Global’s allegations that FRS “withheld” data were broad enough to encompass an error, omission, or negligent act relating to the holding, transferring, or storing of data.

The court disagreed, holding that none of the allegations against FRS “sound[ed] in negligence” as required to trigger coverage. Rather, the underlying lawsuit alleged only “knowledge, willfulness and malice”—not “errors, omissions, or negligent acts,” as required by the technology errors and omissions liability form.[19]

Until we have more guidance from the courts regarding how cyber policies will be interpreted, contracting parties must articulate insurance requirements with care and specificity and, where feasible, require the vendor to provide a copy of the insurance policy for verification.

Contractual liability exclusions. Liability assumed under a contract or agreement or arising from a contractual obligation is often excluded from insurance policies. Cyber policies, in general, are no exception, although the exclusion should contain exceptions tailored to cyber risks associated with the use of technology vendors. For example, the Security and Privacy Coverage Section in AIG’s CyberEdge policy precludes coverage for Loss

(k) alleging, arising out of, based upon or attributable to any obligation an Insured has under contract; provided, however, this exclusion shall not apply to:

             (1)  the obligation to prevent a Security Failure or Privacy Event, including without limitation, whether same is in violation of an implied or statutory standard of care;
              (2)  liability an Insured would have in the absence of such contract or agreement;
              (3)  the obligation to comply with PCI Data Security Standards; or
              (4)  with respect to a Privacy Event, any liability or obligation under the confidentiality or non-disclosure provisions of any agreement[.][20]

Because the company cannot expect to have a role in negotiating the scope of the contractual liability exclusion in a vendor’s policy, expectations regarding coverage must be addressed in the vendor contract, subject to verification when feasible or at the company’s election.

Insured versus insured issues. To the extent the company is an additional insured pursuant to the policy’s definition of “insured,” the insured versus insured exclusion could complicate issues in the event of a company-vendor dispute. If the vendor service agreement requires the vendor to make the company an additional insured, the vendor’s policy needs to make clear that the insured versus insured exclusion does not apply to additional insured claims. Consider again the Security and Privacy Coverage Section in AIG’s CyberEdge policy, which bars claims brought by insureds except for entities the named insured is contractually required to add by contract.[21] Without this exception, the company’s claims against the vendor may be excluded.

Strategies for Insuring Cyber Risks in Vendor-Land

Effective management of vendor-related cyber risks is achievable with focused, proactive planning. While the courts have not yet had an opportunity to provide much guidance on cyber policy interpretation, the contracting parties can eliminate uncertainty by understanding the risks they face and clearly articulating their expectations regarding indemnity and insurance obligations. The service agreement must clearly define the scope of a vendor’s work, as well as the vendor’s duties both in mitigation of cyber risks and in the aftermath of a data breach. The interplay between the indemnity provisions in vendor service agreements and the insurance policies maintained by both vendor and client must be evaluated carefully when allocating risk for cyber events.

Finally, given the high stakes associated with cyber risks, the practical concerns may overshadow the technical issues. A vendor with assets insufficient to honor its indemnity obligations in the face of a large-scale cyber breach is less likely to have purchased the most comprehensive cyber coverage on the market. In that situation, the company may not have the protection for which it bargained in the vendor agreement—with little recourse. Short of conducting a thorough insurance audit for each vendor, the company may learn of coverage deficiencies only after a breach.

Keywords: litigation, insurance coverage, cyber risk, data breach, cyber policy, third-party vendor

Amy Stewart and Tarron Gartner-Ilai are with Amy Stewart Law, in Dallas.


 

[1] Brian Krebs, “Email Attack on Vendor Set Up Breach at Target,” Krebs on Security (Feb. 12, 2014).
[2] Shelly Banjo, “Home Depot Hackers Exposed 53 Million Email Addresses,” Wall St. J. (Nov. 6, 2014, 8:03 PM).
[3] Brian Krebs, “Breach at Goodwill Vendor Lasted 18 Months,” Krebs on Security (Sept. 16, 2014).
[4] Marsh &McLennan Cos., Benchmarking Trends: As Cyber Concerns Broaden, Insurance Purchases Rise(Mar. 2015).
[5] Complaint for Declaratory Judgment and Reimbursement of Defense and Settlement Payments, Columbia Cas. Co. v. Cottage Health Sys., No. 2:15-CV-03432 (C.D. Cal. filed May 7, 2015).
[6] Complaint, Cottage Health System, No. 2:15-CV-03432.
[7] Complaint, Cottage Health System,No. 2:15-CV-03432.
[8] Complaint, Cottage Health System, No. 2:15-CV-03432.
[9] Columbia Cas. Co. v. Cottage Health Sys., No. 2:15-CV-03432 (C.D. Cal. July 17, 2015) (order granting motion to dismiss).
[10] American Insurance Group (AIG), Specialty Risk Protector CyberEdge Security and Privacy Liability Insurance.
[11] AIG, Specialty Risk Protector, Security and Privacy Liability Insurance 101024(5/09).
[12] AIG, Specialty Risk Protector CyberEdge Security and Privacy Liability Insurance.
[13] AIG, Specialty Risk Protector CyberEdge Security and Privacy Liability Insurance.
[14] Beazley, Information Security & Privacy Insurance with Electronic Media Liability Coverage.
[15] Ace American Insurance Co., Ace Privacy Protection.
[16] Chubb Group of Insurance Cos., ForeFront Portfolio 3.0, CyberSecurity Coverage Part. In the Chubb policy, “System” is defined to mean a computer and “(a) any input, output, processing, storage and communication devices controlled, supervised or accessed by the operating systems that are proprietary to, or licensed to, the owner of the Computer; and (b) Media.”
[17] Travelers Prop. Cas. Co. of Am. v. Fed. Recovery Servs., Inc., No. 2:14–CV–170 TS, 2015 U.S. Dist. LEXIS 62185 (D. Utah May 11, 2015).
[18] Federal Recovery Services, Inc., 2015 U.S. Dist. LEXIS 62185, at *9.
[19] Federal Recovery Services, Inc.,  2015 U.S. Dist. LEXIS 62185, at *10–11. Note the placement of the word “negligent,” which modifies only “act”—not “error” or “omission.”
[20] AIG, Specialty Risk Protector CyberEdge Security and Privacy Liability Insurance.
[21] AIG, Specialty Risk Protector CyberEdge Security and Privacy Liability Insurance.

Copyright © 2015, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).