Organizations address third-party risks by requiring cyber coverage

More companies are insisting their vendors have cyber insurance as the risks associated with these third-party firms rise, say experts.

“I’m finding that companies are asking their vendors to carry more and more robust insurance in limits and scopes of coverage,” said policyholder attorney Scott N. Godes, a partner with Barnes & Thornburg LLP in Washington.

Stephanie Reilly, vice president at Walnut Creek, California-based Relation Insurance Services Inc., formerly Ascension Insurance Inc., said, however, that while some companies are asking their vendors to present some type of proof of cyber liability insurance, there is no certificate that shows all the needed coverages have been acquired.

“Cyber policies vary so much in the various types of insurance coverages they provide ... so it becomes kind of a double-edged sword. But does the customer or the company really know what they have? That becomes one issue,” she said.

Some experts also recommend that organizations ask their vendors to obtain a certification such as the ISO 27001 information security standard.

The standard helps firms manage the security of their assets by providing requirements for their information security management systems.

But even if a vendor has its own cyber insurance coverage, the contracting organization is still going to need to make sure its own policy “is broad enough to take into account even a vendor’s computer systems,” said Jason Krauss, New York-based cyber/errors and omissions thought and product leader for Willis Towers Watson PLC’s FINEX North America business.