Cyber Liability for IT Consultants is moot. What you really should be considering is a Technology E&O policy. Here’s why:
A Cyber Liability policy is intended to cover you related to breaches you (or others) sustain not related to your professional service. Think in terms of a medical office being breached physically or virtually and data is being stolen. Since their professional service is handling health issues of patience, Cyber Liability is ideal for them.
As an IT Consultant, which is a broadly used term (will explain below), you have a reasonable expectation to keep sensitive information private or to prevent 3rd parties from accessing not only your networks but potentially your clients. Enter Tech E&O:
Technology E&O (Tech E&O) is designed to cover you on a few distinct levels. It is purposely tailored for technology companies because the claims or wrongful acts associated with your operations will likely be a blend of professional liability and other areas.
Here are the main highlights of what is typically included on a Technology E&O policy:
Errors & Omissions / Professional Liability (PL)
This covers you in the event that your product or service you provide fails to do what is expected and causes your client to have a financial loss or loss of data. In many policy forms this can also extend to rogue employees.
Network / Security / Privacy / Cyber Liability
Much of these terms are synonymous with each other but the main takeaway is that it is designed to cover you in the event you sustain a data breach that results from Personal Identifiable Information (PII) being released, you are alleged to be responsible for a breach of a 3rd party’s network (often a client), your actions have lead to a privacy violation and/or you are alleged to be responsible for network downtime (denial of service) including but not limited to beyond the scope of stated SLA or Terms of Conditions.
The main difference between a straight Cyber Liability coverage and the above aforementioned coverage is that this will extend to disputes that alleged that your professional service contributed to a data breach, denial of service and/or privacy violation.
Note: As stated above IT Consultant is a broadly used term. In insurance it means advice only and in the IT world it means so much more: Network Engineer, Systems Integrator, Software Developer, DevOps, Penetration Tester, SOC Analyst, Auditor.
Here are some common examples that would be excluded from a Cyber Liability policy but would typically be addressed on a Tech E&O:
Network Engineer: Security Misconfiguration of firewalls and ports
Systems Integrator: Default Passwords not changed contributing to breach
Software Developer: Exploitation of Faulty/Buggy Code
Web Developer: Exploitation of Outdated Code, XSS
SaaS / Hosting Company: DDOS, DOS, Data breach
All: Phishing Credentials of Clients where you have a reasonable expectation to keep it private.
Media / Electronic Liability
This is designed to cover you for any content you provide that infringes upon someone else’s intellectual property (including source code) or is alleged to cause personal or advertising injury such as liable, slander, misrepresentation, wrongful eviction, false arrest, malicious prosecution ect.
As part of Risk Transference, insurance is a viable tool and should be included as part of your Business Continuity Plan. If you are serious about purchasing insurance to protect yourself, I would recommend speaking with at licensed agent/broker who can help you with the details.
Be sure that they furnish you with a copy of the carrier’s specimen form and pay close attention to what is not covered. I hope you found this post helpful and good luck.
*Full Disclosure: Although I work in the insurance industry, these viewpoints are my own and not reflective of the position of the company, past, present or future.
Always consult a licensed agent before purchasing insurance.
For over 20 years, I have had the distinct opportunity to work in the Information Technology space under a variety of distinct roles.
My unique position has helped me become a risk management Maven for Fortune 500 and Small Business Companies around the world. For the last 12 years, I have assisted Small Business Owners and Insurance Agency understand the impacts of Cyber Incident exposures and what steps to take to help mitigate potential data breaches.
My desire to expand my reach related to cyber security has led me to establish the Sage Knows IT blog as a way to help Small Business Owners and aspiring Information Technology (I.T.) Professionals better understand the road-maps of I.T. through the experiences I have had.
Information Technology and Information Security is the future of our world and I hope this blog will inspire those that are interested in joining our ever involving field.