If your business is like most today, you partner with several third party vendors. An IT service provider, a customer relationship management (CRM), online project management software, a cloud computing provider, website design firm and more. These third-party vendors often have access to your network, and therefore, the personal information of your customers and employees.
In many cases, these vendors also have access to update software on your system and are trusted sources of links, files, and other attachments on which malware can be distributed. As a result, if a vendor experiences a security breach, your company may be impacted, leading to a data breach (for which you are responsible), fraudulent funds transfers, and network outages caused by ransomware.
Traditionally, third-party cyber liability coverage protected businesses when sued for damages based on media torts. Examples include defamation and infringement based upon the unauthorized use of an image or text, or a breach of privacy related class action lawsuit brought against a large consumer brand name.
Today, there’s a lot more at stake for businesses when they partner with third-party IT service providers. A critical aspect of addressing your business’ cyber risks is understanding your third-party exposures as well as the applicable coverages provided under your Coalition Cybersecurity Policy, including Coalition’s Network and Information Security Liability (NISL) and Media Liability coverage.
When third-party liability increases in severity
More than 30% of businesses say they have vendors they consider to be a material risk in the event of a data breach, as reported by Riskrecon. And rightfully so. Vulnerabilities in third-party software cost businesses $4.33 million annually and are the cause of 14% of breaches, reports IBM.
Unfortunately, the risk and severity of these events are only increasing. For example, as many as 1,000 Coalition policyholders were exposed to the Microsoft Exchange Server vulnerability, in which threat actors used Exchange servers or email accounts to install malware on networks for long-term hacking. Coalition’s in-house forensics team was able to act quickly, remediating the vulnerability for most policyholders but not all.
Here’s another recent real-life example of the impact a third-party vendor can have on a company:An IT service provider suffered a major ransomware attack in which the data of all their customers — hundreds of non-profit organizations, large and small — were exfiltrated. The threat actors used the personal identifiable information (PII) to phish each individual customer, in the name of the non-profit they work with, some of them Coalition’s clients. The threat actors sent the spoof emails directly from the non-profit organization’s email accounts, and therefore these non-profit organizations were on the hook for first-party liability claims, thanks to data security breach suffered by their third-party IT service provider.
As Coalition’s H1 2021 Cyber Insurance Claims Report revealed, the frequency of claims increased this year for 57% of small to midsize organizations with 250 employees or less. More specifically, claims frequency increased by 30% for nonprofits, 46% for IT, and 53% for professional services. Both Industrial and manufacturing businesses also experienced a notable surge, increasing 263% and 99% respectfully.
Transfer your third-party risk to cyber coverage
Even if your third-party vendor has cyber insurance, your contract with them may limit their liability to multiples of the fees you pay them annually or under their services agreement, which is likely not adequate to cover your risk. And, as noted, if an event impacts a large number of a vendor’s customers, their insurance limits may not be adequate to effectively cover the magnitude of their loss. To better address your third-party risk exposure, your business needs the protection of stand-alone cyber coverage.
Coalition's Network and Information Security Liability (NISL) and Media Liability can help cover your business in the event of a cyber claim due to a cyber attack on your network. NISL coverage protects all types of non-technology-based businesses in their use of technology for daily operations and protects them from certain information security liability claims. Coalition's Media Liability coverage can also protect businesses from liability related to your website, social media content, and e-commerce.
Mitigate and manage your third-party liability
In addition to protecting your business from third-party liability with Coalition’s cyber coverage, there are several risk mitigation practices we recommend your business engage in to reduce the chances of a claim. These mitigation practices aren’t just a good idea; they may even be pre-requisites to your cyber coverage since carriers will want to know your business is engaged in vendor due diligence and risk mitigation efforts.
- Get contractual promises. Whenever possible, ask your third-party vendors to retain ample and appropriate cyber coverage. Also, always seek full indemnification under the vendor cyber policies — and ensure that their certificates of insurance state this. In cases where your business is very valuable to the vendor, you may be able to specify the insurance products the vendor retains.
- Practice basic network security hygiene. Best practices dictate that you maintain multi-factor authentication (MFA) on your network in as many places as possible. Make sure it’s on your email system, required for remote access to your network, and that you implement privilege and administration account access. While MFA won’t prevent all cyber threats or attacks, it will greatly increase the degree of difficulty for attackers to infiltrate your network system.
- Require complex, one-time passwords and or a reputable password manager. Requiring employees to have a different password for their work network than other third-party logins will reduce the chances of a bad actor getting into your network system (e.g., if they obtain login credentials via a breach of another network used by your employees). Requiring all employees to use a reputable password manager is a critical step in system hygiene, as it makes having unique passwords for every system they use more practical.
- Remediate vulnerabilities regularly. Network compromises are often due to known vulnerabilities. Attack surface monitoring is a core component of cybersecurity hygiene, and deep scanning and monitoring of an organization’s attack surface is what Coalition Control does for Coalition’s cyber policyholders. When critical vulnerabilities are discovered, Coalition alerts the right people within the organization with detailed, personalized recommendations for remediation.
Protect your business: Get insured
Cyber insurance is a key factor in addressing and mitigating cyber risk directly and indirectly through third-parties that have access to your system, and can quickly facilitate remediation if your business is the target of a cyber attack.
Coalition offers a wealth of resources to help businesses implement good cybersecurity practices, including our Cybersecurity Guide, which outlines the basic tenets of a robust cybersecurity program — a critical factor in reducing your organization’s cyber risk.
For questions about Coalition’s claims process or to be connected to a broker, reach out to our team.
Are you a broker interested in offering Coalition cyber insurance to your clients? Click here to get appointed.