Cyber Liability for IT Consultants is moot. What you really should be considering is a Technology E&O policy. Here’s why:
A Cyber Liability policy is intended to cover you related to breaches you (or others) sustain not related to your professional service. Think in terms of a medical office being breached physically or virtually and data is being stolen. Since their professional service is handling health issues of patience, Cyber Liability is ideal for them.
As an IT Consultant, which is a broadly used term (will explain below), you have a reasonable expectation to keep sensitive information private or to prevent 3rd parties from accessing not only your networks but potentially your clients. Enter Tech E&O:
Technology E&O (Tech E&O) is designed to cover you on a few distinct levels. It is purposely tailored for technology companies because the claims or wrongful acts associated with your operations will likely be a blend of professional liability and other areas.
Here are the main highlights of what is typically included on a Technology E&O policy:
Errors & Omissions / Professional Liability (PL)
This covers you in the event that your product or service you provide fails to do what is expected and causes your client to have a financial loss or loss of data. In many policy forms this can also extend to rogue employees.
Network / Security / Privacy / Cyber Liability
Much of these terms are synonymous with each other but the main takeaway is that it is designed to cover you in the event you sustain a data breach that results from Personal Identifiable Information (PII) being released, you are alleged to be responsible for a breach of a 3rd party’s network (often a client), your actions have lead to a privacy violation and/or you are alleged to be responsible for network downtime (denial of service) including but not limited to beyond the scope of stated SLA or Terms of Conditions.
The main difference between a straight Cyber Liability coverage and the above aforementioned coverage is that this will extend to disputes that alleged that your professional service contributed to a data breach, denial of service and/or privacy violation.
Note: As stated above IT Consultant is a broadly used term. In insurance it means advice only and in the IT world it means so much more: Network Engineer, Systems Integrator, Software Developer, DevOps, Penetration Tester, SOC Analyst, Auditor.
Here are some common examples that would be excluded from a Cyber Liability policy but would typically be addressed on a Tech E&O:
- Network Engineer: Security Misconfiguration of firewalls and ports
- Systems Integrator: Default Passwords not changed contributing to breach
- Software Developer: Exploitation of Faulty/Buggy Code
- Web Developer: Exploitation of Outdated Code, XSS
- SaaS / Hosting Company: DDOS, DOS, Data breach
- All: Phishing Credentials of Clients where you have a reasonable expectation to keep it private.
Media / Electronic Liability
This is designed to cover you for any content you provide that infringes upon someone else’s intellectual property (including source code) or is alleged to cause personal or advertising injury such as liable, slander, misrepresentation, wrongful eviction, false arrest, malicious prosecution ect.
As part of Risk Transference, insurance is a viable tool and should be included as part of your Business Continuity Plan. If you are serious about purchasing insurance to protect yourself, I would recommend speaking with at licensed agent/broker who can help you with the details.
Be sure that they furnish you with a copy of the carrier’s specimen form and pay close attention to what is not covered. I hope you found this post helpful and good luck.
*Full Disclosure: Although I work in the insurance industry, these viewpoints are my own and not reflective of the position of the company, past, present or future.
Always consult a licensed agent before purchasing insurance.