With all of the published media articles dealing with various cyber threats over recent months and years, it has become apparent that clients don’t really understand their exposures as either service providers or service receivers and this is causing confusion.
I receive various enquiries from IT Service Providers as they are the front line of enquiries from their clients trying to understand their own exposures and fielding questions from their clients asking them to explain how these policies work for them.
There are two (2) main levels of exposure;
- First Party (or your own exposure) – This is where your own business has been the subject of a Cyber event and suffers a financial loss.
Examples of this are;
- your own website is hacked and needs to be rebuilt;
- your internal computer installation is hacked and private information is released to the public domain.
- Ransomware attacks.
- Third Party Liability– This is where a third party relies on your professional expertise and services to protect them from the attacks mentioned above.
First party exposures are readily covered by a Cyber Liability policy and many insurers now have policies available that you can purchase independently of other policies or in some cases as an extension to other types of policies (extensions to Management Liability or Professional Indemnity policies are common).
Third Party exposures should be covered by a good quality Professional Indemnity policy that a service provider holds.
In its purest or simplest form, a Professional Indemnity policy is designed to compensate a third party for a financial loss they suffer as a result of a breach of a professional duty.
When looking at Cyber exposures, there can be some confusion around what is a breach of professional duty and this is generally where the confusion emanates from.
Generally speaking, if a service provider has fulfilled their professional obligations and a client (third party) suffers a loss resulting from a Cyber event, it is unlikely that the service provider will be held responsible.
The recent worldwide problem of the WannaCry malware attack is a good example.
I believe that businesses who were impacted by this attack on the initial day it was released needed to have their own Cyber policy as it would be difficult to apportion liability to a service provider for a new attack.
However, those businesses impacted after the world had become aware of the attack and the relevant software patches released may have a claim against a provider if they had failed to act professionally and diligently and install those patches to their own internal systems. Additionally if a service provider provides advice to a client or supports client’s computer infrastructure and fails to apply the relevant patches or advice.
The breach of professional duty in this example is the service provider failing to install the relevant patches or upgrades in accordance with their professional duty or responsibility, which led to the client suffering a financial loss through the attack.
Where a service provider provides advice to a client and the client chooses to ignore that advice and a claim ensues, it is unlikely that a claim against the service provider will be successful.
For example, a service provider recommends that access to the network through USB thumb drives should be restricted and the client ignores this and an employee plugs a thumb drive into the network with a virus or malware infection, it would be difficult for a client to claim negligence on behalf of the provider.