As ransomware threats, data breach litigation, and supply chain cybersecurity concerns become increasingly more common and costly, buyers of tech, SaaS, and outsourcing services are giving far more weight to cyberliability insurance requirements in their contracts. While cyberinsurance provisions are becoming a routine point of negotiation in technology and outsourcing agreements, expectations on coverage, limits, and scope may vary widely.
In this blog we explore what types of coverage are typically requested, how these provisions intersect with indemnification and liability caps, and the questions technology lawyers should be asking as insurance becomes a larger part of contract negotiations.
Key Coverage Types and Market Benchmarks
Cyber policies in technology agreements typically cover the following:
- Incident response, breach notification, and legal costs associated with data privacy or regulatory investigations
- Business interruption or loss of business hours due to a cyber event such as ransomware or a system compromise
- Data restoration or recovery of lost, corrupted, or encrypted data
- Third-party liability exposures related to claims from vendor customers or other downstream entities
Typically policy limits vary depending on the size and risk exposure of the parties. For small-to-medium vendors, limits in the $2–$5 million range are not uncommon, while larger vendors or those in high-risk sectors may see demands for $10 million or more.
Practical Issues to Address
Common issues when negotiating cyberinsurance provisions in technology agreements include:
- Minimum policy requirements: What minimum limits and types of risk are required for vendor policies?
- Trigger or event scope: What specifically must happen for the vendor’s policy to kick in? Is it only data breach or also “cyber extortion,” supply chain compromise, etc.?
- Insurance coverage and insurance claims: Should vendor policies name the buyer as an additional insured or require certificate and policy review?
- Interaction with indemnification and liability caps: How does the vendor’s insurance policy tie in with indemnification obligations or limitation-of-liability provisions? For instance, is the vendor required to maintain coverage at least as high as its exposure under indemnity or liability caps? Or vice versa, would it be reasonable for the customer to agree that the liability is limited to the maximum insured amount?
- Claims cooperation and notice requirements: What timeline must vendors provide notice of claims or circumstances that may lead to a claim? What cooperation or defense obligations are required contractually?
Cyberinsurance in Cross-Border Context
When contracting around the globe, both vendors and customers must consider whether their standard approach to cyberinsurance requires revision:
- Availability of coverage: In most jurisdictions, insurance business is a licensed activity and insurance policies must be procured through a locally licensed insurance company. In some jurisdictions, availability of cyberinsurance policies may be limited and the premiums would be substantially higher than typically seen in the United States or European Union.
- Coverage territory: It is important to ensure that cyberinsurance policies are worldwide and not limited by the location in which any breach, act, or loss occurred.
- Coverage duration: Different jurisdictions have different approaches to the statute of limitations. The parties therefore need to consider how long the vendor shall maintain the policies in force after the termination of the underlying services contract.
With cyber incidents on the rise and insurance markets tightening, pressure is increasing on both sides of the contracting table. Customers are less willing to accept vague or boilerplate insurance provisions, while vendors face rising premiums and narrower policy terms. Balancing the need to address coverage gaps through insurance with the risk of overly aggressive demands that may drive up costs and delay transactions remains essential in technology transactions.