How Substandard Managed Service Provider Contracts are Impairing Cyber Claims
Working directly with insurers and brokers for almost a decade, the STORM Guidance team has had a unique overview of the management of policyholder cyber risk and claimant incident response.
During this time, we’ve been immersed in various situations that arise during a cyber insurance claims process. Over the last two years, we've observed a new concern that should be underlined to the wider market. Drawing attention to the often-complex scenarios and tangled weave of anomalies throughout the process of a claim and the response to incidents, we have explored the role of IT Service Providers (ITSPs), and the contention that can arise in both understanding their clients’ risk at inception, and during the claims process. With the gravity of the issues posed to brokers and insurers, this article seeks to raise awareness, and in doing so, open the lines of communication, addressing another headache in a market already under strain.
An ITSPs obligations
It is the role and function of an ITSP to manage their clients’ networks and data, ensuring they are secure and accessible.
Contracted to administrate networks, set up and manage software and updates, configure systems, manage antivirus and system backups, and maintain effective data processing with appropriate security protocols; when an ITSP fails to carry out these responsibilities effectively and with reasonable care, the risk can be catastrophic. Further, due to the interconnected nature of ITSPs systems with that of their clients who are regularly in the same industry sector, should they fail to mitigate their own cybersecurity risk, they effectively provide attackers with a backdoor to their clients’ systems and data.
So often, we are noting a lack of observation around the terms of agreement between policyholders and their Managed Service Providers; sometimes, there is no formal written contract at all!
In today’s world, it must be an absolute first point of call to investigate the contracts held with service providers, and insurers can work with their claimants to see that obligations are being met and Prime Service Agreements and Statement of Work (SOW) documents have been provided. These should give an outline of service and work, compensation terms, default terms, and insurance and compliance terms, to name but a few. In our digital investigations, we occasionally find that contracts between our clients and their ITSPs simply do not exist, and where they do, the clauses concerning risk management are nearly always missing or inadequate. Policyholders need to understand what they can expect from their ITSPs following a breach (and in the management of cyber risks generally), and for this, identifying terms from the outset is paramount. Another concern may be whether the contracts stipulate liability in the event of a cyber incident where the ITSP’s negligence is a contributing factor.
Unfortunately, we are familiar with incidents where our client’s ITSP has sought to avoid liability, or worse still, has disassociated themselves entirely from the incident response process.
As third-party incident responders, we have of course been on hand to support these clients, however, when the claimant’s ITSP has withdrawn from the situation, they take with them the skills and knowledge of certain key systems, stifling progress, and reducing the efficiency of our combined teamwork.
It comes with the territory that firms will often need to share confidential information with their service providers, and where this vendor fails to adequately protect its systems, this sensitive data is put at risk. In the last few years, ITSPs have become a favoured target of cybercriminals due to the vast networks and IT infrastructure they manage across all business sectors, large or small. They are effectively a doorway to multiple victims at a time. In instances such as this, both the ITSP and the companies affected will almost certainly face legal action. Although this may appear to be a harsh penalty for the company that entrusted the third-party vendor, a key element of such legal scrutiny is centred on negligence, highlighting the company’s lack of care when selecting an appropriate provider. Added to this, poor diligence in monitoring their systems and general approaches to cyber risk management can also be called into question.
Brokers and insurers may benefit from insisting on the appropriate procurement and vetting of third-party vendors and should also make clear whether policies will cover claims for compensation sought by those anomalies.
With clarity over the services provided by the insurer in response to incidents (whether to help in the recovery phase or the improvement of resilience going forward), claims handlers can avoid being hit with additional bills from ITSPs charging for services that were already carried out by the appointed third-party Incident Response teams. It is not uncommon to see claims reserves determined incorrectly due to the insureds adding ITSP costs to claims for services one may question are not part of the response service. Although the ITSPs are often helpful during restoration, incident response is usually not their area of expertise, and they lack the specialist skills required for the optimal approach to investigation, often failing to preserve vital evidence, destroying it during their rushed efforts to recover. In this event, the insured is left in the dark over how the incident occurred and its potential impact.
An underwriting perspective
Speaking with Austin Karpinski, Senior Cyber & Technology Underwriter at Markel, we gained further insight into the gravity of the situation from the view of cyber market players.
Expressing the need for more oversight on this class of business, Karpinski gave reference to the ISO/NIST security regulations required of financial institutions, and how with a similar model in place, it would be easier to quantify from an underwriting perspective. He argues, “The contracts are the key reason why many, if not all cyber carriers are out of quoting this class of business, in my opinion. We’re given minimal, if any contractual information from an underwriting perspective, which makes it near impossible, given the systemic exposure tied with these entities”. He went on to conclude, “Until companies require these providers to display more information around service, terms, controls and if/when/how they can oversee and access the environment, I don't see the stance changing from an appetite perspective”.
Without a more stringent approach to regulating ITSPs, it is inconceivable to expect a change in the increased pressures on cyber carriers imposed by these providers. Karpinski drew a comparison to the required auditing and compliance of the Payment Card Industry Data Security Standard (PCI), suggesting that ITSPs should be certified to a similar standard, with guidelines over what they do with their client’s information, protecting them from negligence and poor diligence in the approach to cyber security.
Karpinski elaborated, “Putting everyone on the same playing field and allowing a third-party to judge will allow the underwriting community to obtain the information they need, while hopefully holding these entities to a higher standard of care and control for their clients”.
In addition to the regulation of service provider contracts, Karpinski drew upon a further measure that could improve the situation from an underwriting perspective. As the situation stands, when questions are asked over the breakdown of ITSPs customers, in both revenue band and industry class, even the biggest ITSPs cannot quantify the controls of the customer networks they are accessing, or even exactly how many customers they have: “It really just gets down to the point”, he noted, “there should be more structured contracts and requirements by both parties for any service provider, but especially cyber security providers.”
Questions over ‘betterment’
STORM has recognised a further notable discrepancy revealed during the investigation of numerous claims, where insureds and ITSPs ‘retrofit’ planned IT projects into a claim, which could be considered as betterment.
Cyber policies typically include betterment exclusions, which reject any updating, upgrading, enhancing, or replacing of computer systems to a level exceeding what existed before the cyberattack. Acts of betterment such as this, suggest a failure in duty by the ITSP and had those enhancements already been in place, perhaps the security breach might not have occurred.
In cases of negligence, where an ITSP may be responsible for some part of the damage, the insurance company can effectively take on the role of the insured, suing them to recover the losses. However, where insureds and ITSPs tweak a claim to include improvements in IT, this raises further alarm bells for insurers. STORM Guidance CEO, Neil Hare-Brown explains, "this would also be considered as preventing the right of subrogation for an insurer who may, for good reason, decide to pursue an ITSP for failing in their reasonable delivery of service to the Insured, and thereby causing losses to be significantly higher than they would be if the ITSP had not failed”.
What’s the solution?
To tackle the concerns, we have amended our processes so that insured clients are clear that any activities proposed by their ITSP in relation to the technical investigation and/or recovery of an incident, must be communicated with the incident response specialists for triage, and agreement.
The specialists can then communicate these estimations to the insurance claims handlers, and if necessary, via legal partners.
During the risk assessment processes, we would recommend that brokers consider this as a priority, and perhaps a risk that should prompt very direct questions to the insured client at proposal time. For those insurers and brokers who are utilising our Cyber3: Rapid Risk Review, you can rest assured that our service will assess these contractual risks.
What should a good ITSP contract cover?
When investigating the contracts between policyholders and their ITSPs, we’d recommend the following conditions are met/assessed:
Does the client have the right to audit the provider (i.e., review backup, patching procedures, etc.)?
Are the experience and qualifications held by the ITSP to investigate cyber incidents outlined?
Is the ITSP contractually bound to report incidents to their clients (if they are a data processor, they need to notify the data controller)?
Is the ITSP contractually bound to support their clients in the event of an incident?
What professional indemnity insurance cover does the ITSP have?
Does the client (or the client’s insurer) have the right to pursue damages from the ITSP if they are negligent?
Does the ITSP have a cybersecurity framework/policy and a data protection policy supported by adequate procedures, each documented to match the client’s governance? N.B., Certification to the international standard for Information Security Management, ISO 27001, would be a suitable accreditation.
Does the ITSP undertake regular (at least annual) testing of their security, including cyber incident exercises involving scenarios relevant to the client’s business risks?