Achieving cost efficiency and filling gaps in expertise has led many companies to rely more and more on outside vendors and third parties for services, including cybersecurity. But significant vulnerabilities also accompany those important factors, exposing businesses to cyber breaches, compromised data, operational disruptions, costly insurance claims, and legal battles.
For example, if a vendor responsible for processing payments has inadequate cybersecurity and gets attacked, it compromises the company’s customer data. Such breaches have occurred with alarming frequency, causing significant financial and reputational damage. These attacks also open the floodgates for hackers to infiltrate the company’s network, disrupting operations and leading to business interruption claims.
The potential for such claims, along with regulatory compliance concerns, underscores the importance of thoroughly assessing the cybersecurity posture of any third party before entering a business relationship. This process should include both the IT/security team and the legal department, and should examine the following items:
- Vetting the Vendor:
Rigorously assess the vendor’s cybersecurity practices to ensure robust defenses are in place, to include the vendor’s incident response plan and compliance with relevant standards and regulations. Incorporating adequate cybersecurity measures and response plans into the vendor contract is crucial.
- Requiring Cyber Insurance:
Vendors should be required to carry cyber insurance covering breaches that could impact your operations, including third-party liability for hardware failures, system breakdowns, and business interruption claims. Review the policy for exclusions or limitations that might impact your company’s coverage.
- Incorporating Risk-Shifting Provisions:
Your legal team should include risk-shifting provisions in contracts with third-party vendors, so that if a breach occurs, the vendor indemnifies your company against both direct losses and third-party claims. This indemnification should cover both standard and gross negligence, as well as willful misconduct, and include reimbursements for any losses beyond what insurance might cover. Such contractual agreements shift the financial burden back onto the vendor in the event of a cyber incident.
The professionals at Evergreen Insurance understand these scenarios and can speak the language of business owners looking for the best package of protection. Contact us to learn more.
Copyright 2025 Evergreen Insurance
Evergreen Insurance provides these updates for information only, and does not provide legal advice. To make decisions regarding insurance matters, please consult directly with a licensed insurance professional or firm.
