You Can Outsource a Service, but Not Cyber Risk

With the growth of infrastructure as a service, software as a service, and platform as a service, most businesses today have handed over their data to third parties in some capacity. In fact, nearly 100% of businesses use cloud services to store and process their data in some way. But as companies outsource business tasks to these vendors, they aren’t outsourcing their risk.

In the event a data breach occurs that compromises your data within a third party’s system, your company is still responsible for everything that comes with a data breach, including compliance with regulating bodies, potential lawsuits, and related costs.

Data Owners vs. Data Processors

The recent wave of privacy litigation--whether it is General Data Protection Regulation (GDPR) in Europe or the California Consumer Privacy Act (CCPA) in the US--has brought forward two definitions that dictate various sides of risk depending on which category you fall into: data owner or data processor.

A data owner, sometimes referred to as a data controller, is the company that originally collects data on their customers or consumers. These companies are in control of what information is collected, the methods of collection, and other decisions such as how data is used, stored, and managed.

A data processor is the company that processes, stores, or analyzes the data on behalf of the data owner. These companies are often third-party vendors or service providers to the data owner, with access to data collected by the owner.

Importantly, some privacy laws lay out requirements for each company that might collect or access data and neither party is able to transfer their own risk of violating these requirements to the other. This is what creates the scenario where you can outsource a service, but not outsource the risk.

Despite retaining this risk, there are still ways to mitigate your exposure. Let’s look closer at your first and second lines of cyber defense as you contract with these critical third parties to do business.

First Line of Defense: The Contract

For companies that have negotiated contracts with third-party vendors, it will come as no surprise that these vendors will limit their liability as much as possible when it comes to your data. Despite the responsibility that the data owner has to comply with privacy laws, the financial cost of fulfilling that responsibility can potentially be passed to the third-party vendor through a contract. Remember: the average breach costs a business $3.86 million.

This is why your contract with vendors is known as the first line of defense. If the vendor is responsible for a data breach of your customer’s data, requiring them to reimburse you for the costs you incur in responding to that breach can protect your balance sheet. It’s easier said than done, though.

Many vendors want to nullify this financial risk. Others may put a cap on their liability, typically set very low, equal to fees you’ve paid them for the prior 12 months.

When viewed from the vendor side, this approach makes sense as these vendors act as aggregators of each of their own client’s risk. If the vendor caused a data breach that impacted all of their customers, each of those customers would be looking for reimbursement at the same time. This is too great a risk for many vendors to accept, so they look to limit their liability in contracts.

That said, it’s becoming more common in contract negotiations for companies to verify that their vendors have the right insurance policies in place.

Companies looking to outsource services to a third-party vendor should require their vendors to maintain errors and omissions coverage, as well as cyber liability coverage. Often, these coverages can be found on the same policy form integrated together.

The cyber liability coverage requirement for your vendor is important to make sure the vendor is able to respond adequately to a data breach or other security incident, including access to incident response specialists such as IT forensics providers and coverage for expenses the vendor incurs responding to the event.

The errors and omissions coverage is important to pick up the financial cost of your claim for recovery of expenses you incur to comply with privacy laws. The data breach suffered by your vendor is akin to their service failing you, and claims you make for indemnities granted in your contract will fall under the errors and omissions coverage.

In the event that your vendor having cyber coverage is still not enough, you’ll want to turn to a well-brokered cyber insurance policy for your company.

Second Line of Defense: The Cyber Policy

When your contracts aren’t able to provide adequate protection for your company, your cyber insurance policy should be designed to step up and support your business.

A unique feature of cyber insurance is that it covers your company in the event a data breach occurs, regardless of who was responsible for losing the data. So whether it was you or your cloud service provider, for example, the policy responds to help cover your company’s financial impact.

So what’s covered if your vendor has a data breach that impacts you, and potentially your customers? When responding to a cyber event, your insurance policy will step in to cover expenses like:

• IT forensics
• Data restoration
• Breach notification to consumers
• Setting up a call center
• Public relations expertise
• Credit monitoring and identity restoration
• Defense costs related to a class action or regulatory action
• Lost profits due to a network outage

After supporting you through the cyber event, your insurance carrier may also take the lead in enforcing your contractual rights in your contract with the service provider responsible for the breach, a process known as subrogation.

This broad coverage gives companies an added layer of financial security and peace of mind when handing over their data to critical business partners. For more on what cyber policies cover, see my article on Cyber 101.

Outsourcing business functions to experts, whether cloud companies or some other third-party service provider, can lead to significant operational efficiencies for any company. But a hidden cost of outsourcing is giving a third party access to your data. And while security is a top priority for many of these vendors, companies must understand that outsourcing the service does not outsource the cyber risk.