Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

CYA: Cover Your (Vendor) Agreements

In our increasingly virtualized world, much of an organization's Personally Identifiable Information (PII) is stored electronically. The explosion of  cloud computing or Software as a Service (SaaS) means organizations are more often using third party vendors to host and manage some or all of their sensitive data. Additionally, many SaaS or similar vendors are relatively new businesses, without much of a track record. Their longevity or liquidity cannot be presumed.

Most applicable data privacy and security laws will hold your organization equally liable for a breach whether it was your fault or that of your third party vendor. Risks of data loss, data corruption and data theft are of paramount concern. Such risks are not limited to the organization's actions or omissions, but increasingly those of its vendors. When the worst happens, how do you manage the financial cost of data losses?

IT professionals can help their organization better manage and reduce the financial risks when negotiating for IT services or products by understanding how insurance can help cover IT losses. Look for the insurance requirements in your vendor agreements, and know to what extent your organization may be able to cover some of these risks under its own insurance program. Insurance is usually handled by an organization's risk management department or outside agent, but it's important for the IT professional to have some understanding of  the relevant types of IT insurance polices in order to craft appropriate insurance-related protection for their vendor agreements.

There are a number of different insurance products that may be available to protect against loss arising from IT-related risks. We'll cover several in the following discussion. Basically, there is insurance within your own organization and then the insurance that vendors will provide.

Commercial Property Insurance is your organization's standard policy that may cover data loss. However, these policies often only provide coverage for reconstruction of lost data if there has been an actual physical damage to the systems holding the data. Cyber Liability Insurance will potentially provide protection against a wide range of losses arising from cyber-related risks. These policies are often written in a "menu" format, where the insured can pick and choose from a number of different coverage types.

  • 1