Providers of technology products and services are consistently innovating to grow their offerings to retailers. These new products and services present significant opportunity for retailers to more effectively reach customers, generate sales and grow revenue. But while these new offerings present a great tool to grow sales in this challenging market, they also can present significant cybersecurity risks.
To manage risk, technology transactions have long prescribed contractual insurance requirements for providers, supplementing security-related warranties and indemnities and backstopping limitations on liability. Unlike traditional insurance coverages (e.g., errors and omissions, commercial general liability, automotive) that employ industry standard policy language, cybersecurity policy language has not yet evolved to an industry standard. This will likely be the case until the cybersecurity market matures and insurance providers become comfortable with uniform cybersecurity policy language.
In light of the evolving cybersecurity market, consider the following five tips when thinking about what cybersecurity insurance requirements you need in your technology transactions.
Rely first on effective prevention.
Both parties are better off avoiding an incident than relying on insurance to cover losses. Critically evaluate the security infrastructure offered by your vendor and the security assurances they can provide during the life of the deal. It may not make sense to share some kinds of higher-risk data with vendors who don’t measure up. Where information must be shared, ensure that comprehensive requirements for encryption, access to information, password management, handling of sensitive information and physical and network security are clearly laid out in your contract.
Require cybersecurity insurance.
For most companies that possess, share or generate electronically stored information, whether a cyber breach will occur is not a matter of “if,” but “when.” It is prudent, therefore, to include a provision in your insurance requirements specifically addressing such an eventuality. The provision should address, at a minimum:
- the provider’s requirement to obtain cybersecurity insurance (including coverage amounts). For example: “Cyber liability insurance, with limits not less than ____ per incident, occurrence, event or claim, ____ aggregate”; and
- the specific cyber risks that are to be covered (e.g., breach response costs, regulatory fines and penalties, crisis management costs).
Additionally, companies should consider whether to be named as an “additional insured” – realizing that this may be of limited value if there is a major breach affecting many customers who are also insureds. It may also require further language excepting any otherwise preclusive “insured versus insured” exclusions such that the additional insured is not precluded from itself claiming against the Named Insured.
Understand the cybersecurity risk your transaction presents to your organization and be realistic in the amount of coverage you ask providers to carry.
Spend time thinking about the specific risk posed by a transaction to your organization’s risk profile. Ask:
- Will the provider handle personal information?
- What will the provider have access to on your network?
- How is the relevant information protected?
- What is the realistic breadth of any potential data breach (e.g., how many records could get out)?
Your risk management team can assess the appropriate levels of coverage based on the risk posed by the transaction and the levels of coverage typically purchased by similarly sized providers. In general, small and medium sized providers typically will have policy limits of $2MM to $4MM. Large providers likely have much greater coverage.
Ask for a copy of the policy, do not rely solely on the certificate of insurance.
Ask your provider to provide complete, certified copies of its cybersecurity insurance policy, including all endorsements. Because there is no industry standard cybersecurity language, it is not enough to only review the certificate of insurance, which is not binding on the insurer, in any event. Reviewing the policy language is important to validate that the policy was actually issued, that it covers the risks identified in your contract, that no broad exclusions apply and that no material gaps exist between the cybersecurity coverage afforded and any ancillary coverages that might exist for non-cyber risks (e.g., commercial crime, general liability, etc.). Our clients often ask us to conduct such reviews to help them assess the scope of coverage offered by providers.
Consider purchasing an “excess” cybersecurity policy.
“Excess” cybersecurity insurance provides additional protection for retailers. Excess cybersecurity insurance applies only in excess of a provider’s cybersecurity policy. The provider’s policy acts as the primary insurance and the excess policy provides an additional limit of insurance. Your risk management team and insurance broker can help determine if an excess cybersecurity insurance policy makes sense for your organization. Having your own policy may be the best protection, since, in a major breach, you may be forced to share with many other claimants a relatively small pay-out under a vendor’s policy.
- Partner
Mike is a Legal 500 and Chambers USA-ranked lawyer with more than 25 years of experience litigating insurance disputes and advising clients on insurance coverage matters.
Mike Levine is a partner in the firm’s Washington, DC ...
- Partner
With over 25 years of experience, Randy is a broadly experienced transactional lawyer known for his ability to creatively and collaboratively solve business problems for clients in a wide range of industries. Randy has negotiated ...
Search
Recent Posts
Categories
- Advertising & Marketing
- Bankruptcy
- Class Action
- Competition/Antitrust
- Consumer Protection
- Corporate Governance
- Environmental
- General
- Health Care
- Insurance
- IP
- Labor and Employment
- Mergers & Acquisitions
- Patent Infringement
- Patents
- Privacy & Cybersecurity
- Product Liability
- Real Estate
- Regulatory
- Regulatory
- Technology & E-Commerce
Tags
- 29 C.F.R. § 785.48
- 396-r
- 3D Printer
- 3D Printing
- A. Todd Brown
- A.S. Research (ASR)
- Aaron P. Simpson
- Advertisers
- Advertising
- Advertising Claims
- Advertising Idea
- Agency Guidance
- AI
- AI Interviewing Platforms
- Algorithmic Accountability Act
- Align
- Americans with Disabilities Act
- Americans with Disabilities Act (ADA)
- Andrea DeField
- Ann Marie Buerkle
- Annual Reports
- anti-aging
- Anti-Discrimination
- APEX Agreement
- Arbitration
- Arbitration Agreements
- Arizona
- Arkansas
- Arthritis
- Artificial Intelligence
- Artificial Intelligence (AI)
- Asbestos
- Assembly Bill 51 (AB 51)
- ATDS
- Australia
- Auto-renewals
- automatic telephone dialing system (ATDS)
- Automobile
- Automotive Body Parts Association (ABPA)
- Back to Work Emergency Ordinance
- biased endorsements
- Biden Administration
- Biometric Data
- Biometric Information
- Biometric Information Privacy Act (BIPA)
- BIPA
- Bitcoin
- Blockchain
- Board Diversity Disclosure
- Boards of Directors
- Bonuses
- Braille
- Branding
- Breach
- Breach of Contract
- Business Interruption Loss
- Businessowner’s Insurance
- California
- California Assembly Bill 2011
- California Employment Laws
- California Fair Employment and Housing Act
- California False Claims Act
- California Labor Code
- California Senate Bill 6
- California’s Unfair Competition Law
- CAMS
- Canada
- Cannabis
- CBD
- CBP
- CCPA
- Celebrity Endorsers
- Center for Disease Control (CDC)
- CFIUS
- CGL
- Chatbot
- Children’s Advertising
- Children’s Advertising Review Unit
- Children’s Online Privacy Protection Act (COPPA)
- China
- Christopher J. Dufek
- Christopher W. Hasbrouck
- Christy Kiely
- Class Action
- Class Actions
- Clawback
- Click-to-Cancel
- Climate Change
- clinical trials
- Collective Action
- Colorado
- Commercial General Liability
- Commercial Leasing
- Commodity Futures Trading Commission
- Compliance
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Data
- Consumer Financial Protection Bureau
- Consumer Fraud
- consumer loyalty program
- Consumer Product Safety Act
- Consumer Products
- Consumer Products Safety Commission (CPSC)
- Consumer Protection
- Consumer Review Fairness Act of 2016 (CRFA)
- Consumer Reviews
- Contamination
- Contract Law
- Controlled Substance Act
- Cookware
- COPPA
- Copyright
- Coronavirus/COVID-19
- Corp Fin
- Corporate Governance
- Corporate Reporting
- Corporate Sustainability
- Counterfeit Goods
- Counterfeit Goods Seizure Act of 2019
- CPRA
- CPSA
- CPSC
- Crack House Statute
- CRFA
- Cryptocurrency
- CSPA
- Cuba
- Currency
- Customs and Border Protection
- Cyber Coverage
- D&O
- D&O policies
- D. Andrew Quigley
- Damages
- Data Breach
- Davidson
- Deceptive Advertising
- DEI
- Delaware
- DEP
- Department of Justice
- Department of Labor
- Development Impact Fee
- Digital Assets
- digital currency
- Disclosures
- Distribution
- Division of Corporation Finance
- Dodd-Frank
- DOJ
- DOL
- Duty to Defend
- Duty to Indemnify
- e-liquid products
- Eddie Bauer
- EEOC
- Electric Vehicles
- Eleventh Circuit
- Emily Burkhardt Vicente
- Employee Rights
- Endorsement
- Endorsement Guides
- Endorsement Notice
- Endorsements
- endorser monitoring requirements
- Enforcement
- Environmental Protection Agency
- Environmental Protection Agency (EPA)
- EPA
- Epidemic
- ESG
- ESG Disclosure
- EU Regulation
- European Union
- European Unitary Patent
- EV Charging
- Exceptions
- Exclusions
- Exercise Machines
- Extended Producer Responsibility (EPR)
- FAA
- Fair Labor Standards Act
- Fair Labor Standards Act (FLSA)
- fair use
- False Advertising
- False Advertising Claims
- False Advertising Law
- False Claims Act
- Family Leave Policies
- FCC
- FCRA
- FDA
- Federal Arbitration Act (FAA)
- Federal Communications Commission
- Federal District Court
- Federal Trade Commission
- Federal Trade Commission (FTC)
- FFDCA
- FIFRA
- Fifth Circuit
- Final Rule
- Fireworks
- First Amendment
- Fixing America’s Surface Transportation (FAST) Act
- Florida
- Florida House of Representatives (HB 963) and Florida Senate (SB 1670)
- Florida Legislature
- FLSA
- FLSA/Wage & Hour
- food delivery
- Food Safety
- Form 10-K
- Formaldehyde Standards for Composite Wood Products Act of 2010
- fractional interests
- Franchise
- Frederic Chang
- Free Trials
- FTC
- FTC Act
- Gavin Newsom
- GDPR
- General Liability
- Geoffrey B. Fehling
- Georgia
- Gift Cards
- GoodRx
- Gramm-Leach-Bliley (GLB) Act
- Green
- Green Guides
- Greenhouse Gas
- Gun Safety
- Hart-Scott-Rodino
- Hart-Scott-Rodino (HSR)
- hashtag
- Hawaii
- Health Care
- Health Claims
- Hedge Fund
- HIPAA
- hoverboards
- human capital
- Human Rights
- Illinois
- Illinois Artificial Intelligence Video Interview Act (the Illinois Act)
- Illinois Biometric Information Privacy Act (BIPA)
- Indiana
- Influencer Marketing
- Infringement
- initial public offerings (IPOs)
- Injury
- Insurance
- Insurance Loss
- Insurance Provider
- Intellectual Property
- Intellectual Property Licenses in Bankruptcy Act
- Interest Rate
- International
- International Trade Commission
- International Trade Commission (ITC)
- INVISALIGN
- Iowa
- IP
- Ireland
- IT
- ITC
- iTERO
- Junk Fees
- Katherine Miller
- Kurt A. Powell
- Kurt G. Larkin
- Labeling Rules
- Labor
- Labor Code Private Attorneys General Act of 2004 (PAGA)
- Labor Organizing
- Labor Unions
- Land Use
- Landlord
- Latin America
- Lautenberg Act
- Lawsuit Reform Alliance of New York (LRANY)
- Lead
- Lease
- Legislation
- Leveraged Loans
- Liability Insurance Policy
- Liberty Insurance Corporation
- Liberty Mutual Fire Insurance Company
- LIBOR Discontinuation
- liquidity
- Litigation
- Live Chat
- Louisiana
- M&A
- Made in the USA
- Made in USA
- MagicSleeve
- Magnuson-Moss Warranty Act
- Magnuson-Moss Warranty Act (MMWA)
- Maine
- Malcolm C. Weiss
- Manufacturing
- Marketing Claims
- Maryland
- Massachusetts
- Matthew T. McLellan
- Maya M. Eckstein
- MD&A
- Medtail
- Membership cancellation
- Metaverse
- MeToo Movement
- Mexico
- Michael J. Mueller
- Michael S. Levine
- Minimum Wage
- Minnesota
- Minnesota Pollution Control Agency (MPCA)
- Misclassification
- Mislabeling
- Mission Product Holdings
- Missouri
- Mobile
- Mobile App
- Multi-Level Marketing Program (MLM)
- NAA
- NAD
- NASA
- National Advertising Division
- National Advertising Division (NAD)
- National Advertising Review Board
- National Products Inc.
- National Retail Federation
- Natural Disaster
- Nebraska
- Neil K. Gilman
- Network Outage
- Nevada
- New Jersey
- New York
- NHTSA
- NIL rights
- Ninth Circuit
- NLRA
- NLRB
- no-action request
- non-fungible token (NFT)
- North Carolina
- Obama Administration
- Occupational Safety and Health Administration (OSHA)
- Occurrence
- Office of Labor Standards Enforcement
- Ohio
- Oklahoma
- Online Cash Providers
- Online Retailer
- online reviews
- Opioids
- Oregon
- Overboarding
- Overtime
- Overtime Exemptions
- Ownership
- Packaging
- PAGA
- Pandemic
- Patent
- Patent Infringement
- Patents
- Paul T. Moura
- Pay Ratio
- pay-to-play rankings
- Penalty
- Pennsylvania
- Personal and Advertising Injury
- Personal Data
- Personal Information
- Personally Identifiable Information
- Pesticides
- PFAS
- Physical Loss or Damage
- Policy
- price gouging
- Privacy
- Privacy Guidelines
- Privacy Policy
- Privacy Protections
- Prohibition on Sale
- Property Insurance
- Property Rights
- Proposition 65
- Proxy Access
- proxy materials
- Proxy Statements
- Public Companies
- Purdue Pharma
- Randall S. Parks
- Ransomware
- real estate
- Recall
- Recalls
- Regulation
- Regulation S-K
- Restaurants
- Restrictive Covenants
- Retail
- Retail Development
- Retail Industry Leaders Association
- Retail Litigation Center
- Rounding
- Rulemaking
- Ryan A. Glasgow
- Sales Tax
- Scott H. Kimpel
- SD8 coins
- SEC
- SEC Disclosure
- Second Circuit
- Section 337
- Section 365
- Secure and Fair Enforcement Banking Act of 2019 (“SAFE Banking Act”)
- Securities
- Securities and Exchange Commission
- Securities and Exchange Commission (SEC)
- security checks
- Senate
- Senate Data Handling Report
- Sergio F. Oehninger
- Service Contract Act (SCA)
- Service Provider
- SHARE
- Shareholder
- Shareholder Proposals
- Slogan
- Smart Contracts
- Social Media
- Social Media Influencers
- Software
- South Carolina
- South Dakota
- Special purpose acquisition companies (SPACs)
- State Attorneys General
- Store Closures
- Subscription Services
- Substantiation
- Substantiation Notice
- Supplier
- Supply Chain
- Supply contracts
- Supreme Court
- Sustainability
- Syed S. Ahmad
- Synovia
- Targeted Advertising
- Tax
- TCCWNA
- TCPA
- Technology
- Telemarketing
- Telephone Consumer Protection Act
- Telephone Consumer Protection Act (TCPA)
- Tempnology LLC
- Tenant
- Tennessee
- Terms and Conditions
- Texas
- the Fair Credit Reporting Act (FCRA)
- Thomas R. Waskom
- Title VII
- tokenization
- tokens
- Toxic Chemicals
- Toxic Substances Control Act
- Toxic Substances Control Act (TSCA)
- Trade Dress
- Trademark
- Trademark Infringement
- Trademark Trial and Appeal Board (TTAB)
- TransUnion
- Travel
- Trump Administration
- TSCA
- TSCA Title VI
- U.S. Department of Justice
- U.S. Department of Labor
- U.S. Food and Drug Administration
- U.S. House of Representatives
- U.S. Patent and Trademark Office
- Umbrella Liability
- Union
- Union Organizing
- United Specialty Insurance Company
- Unmanned Aircraft
- Unruh Civil Rights Act
- UPSTO
- US Chamber of Commerce
- US Customs and Border Protection (CBP)
- US Environmental Protection Agency (EPA)
- US International Trade Commission (ITC)
- US Origin Claims
- US Patent and Trademark Office
- US Patent and Trademark Office (USPTO)
- US Supreme Court
- USDA
- USPTO
- Utah
- Varidesk
- Vermont
- Virginia
- volatile organic compound (VOC) emissions
- W. Jeffery Edwards
- Wage and Hour
- Walter J. Andrews
- Warranties
- Warranty
- Washington
- Washington DC
- Web Accessibility
- Weight Loss
- Wiretapping
- World Health Organization (WHO)
- Wyoming
- Year In Review
- Zoning Regulations
Authors
- Gary A. Abelev
- Alexander Abramenko
- Yaniel Abreu
- Syed S. Ahmad
- Nancy B. Beck, PhD, DABT
- Brandon Bell
- Fawaz A. Bham
- Michael J. “Jack” Bisceglia
- Jeremy S. Boczko
- Brian J. Bosworth
- Shannon S. Broome
- Samuel L. Brown
- Tyler P. Brown
- Melinda Brunger
- Jimmy Bui
- M. Brett Burns
- Olivia G. Bushman
- Matthew J. Calvert
- María Castellanos
- Grant H. Cokeley
- Abigail Contreras
- Alexandra B. Cunningham
- Merideth Snow Daly
- Javier De Luna
- Timothy G. Decker
- Andrea DeField
- John J. Delionado
- Stephen P. Demm
- Mayme Donohue
- Nicholas Drews
- Christopher J. Dufek
- Robert T. Dumbacher
- M. Kaylan Dunn
- Chloe Dupre
- Frederick R. Eames
- Maya M. Eckstein
- Tara L. Elgie
- Clare Ellis
- Latosha M. Ellis
- Juan C. Enjamio
- Kelly L. Faglioni
- Ozzie A. Farres
- Geoffrey B. Fehling
- Hannah Flint
- Erin F. Fonté
- Kevin E. Gaunt
- Andrew G. Geyer
- Armin Ghiam
- Neil K. Gilman
- Ryan A. Glasgow
- Tonya M. Gray
- Aidan Gross
- Elisabeth R. Gunther
- Steven M. Haas
- Kevin Hahm
- Jason W. Harbour
- Jeffrey L. Harvey
- Christopher W. Hasbrouck
- Eileen Henderson
- Gregory G. Hesse
- Kirk A. Hornbeck
- Rachel E. Hudgins
- Jamie Zysk Isani
- Nicole R. Johnson
- Roland M. Juarez
- Suzan Kern
- Jason J. Kim
- Scott H. Kimpel
- Andrew S. Koelz
- Leslie W. Kostyshak
- Perie Reiko Koyama
- Torsten M. Kracht
- Brad Kuntz
- Kurt G. Larkin
- Tyler S. Laughinghouse
- Matthew Z. Leopold
- Michael S. Levine
- Ashley Lewis
- Abigail M. Lyle
- Maeve Malik
- Phyllis H. Marcus
- Eric R. Markus
- Brandon Marvisi
- John Gary Maynard, III
- Aubrianna L. Mierow
- Gray Moeller
- Reilly C. Moore
- Michael D. Morfey
- Ann Marie Mortimer
- Michael J. Mueller
- J. Drei Munar
- Marcus E. Nelson
- Matthew Nigriny
- Justin F. Paget
- Christopher M. Pardo
- Randall S. Parks
- Katherine C. Pickens
- Gregory L. Porter
- Kurt A. Powell
- Robert T. Quackenboss
- D. Andrew Quigley
- Michael Reed
- Shawn Patrick Regan
- Jonathan D. Reichman
- Kelli Regan Rice
- Patrick L. Robson
- Amber M. Rogers
- Natalia San Juan
- Katherine P. Sandberg
- Arthur E. Schmalz
- Daniel G. Shanley
- Madison W. Sherrill
- Kevin V. Small
- J.R. Smith
- Bennett Sooy
- Daniel Stefany
- Katherine Tanzola
- Javaneh S. Tarter
- Jessica N. Vara
- Emily Burkhardt Vicente
- Mark R. Vowell
- Gregory R. Wall
- Thomas R. Waskom
- Malcolm C. Weiss
- Holly H. Williamson
- Samuel Wolff
- Steven L. Wood
- Jingyi “Alice” Yao
- Jessica G. Yeshman