Broker Check

Vendor Agreements Must Address Cyber Risk

May 24, 2021

If you have been paying attention to reports of data breaches, you know that in many cases hackers secured access to a company's data through a vendor's website. Every vendor agreement, new or existing, must be reviewed to be sure this risk is addressed.

There are two aspects to cyber risk: security and insurance.

On the security side, vendors must have security in place, including anti-virus, two factor authentication and a response plan including notification of a breach. If a vendor's employees work from home,  they should use a dedicated device not connected to any personal devices. The agreement should also address cloud security.

Cyber insurance must be required. At minimum, the the policy must include security and privacy liability to cover contractually required indemnification and confidentiality agreements. Work from home and cloud computing must be covered, and the vendor should confirm that any security requirements are complied with. The policy should also cover failure to comply with any data protection statute. Since cyber policies are not uniform, a certificate of insurance is insufficient; the vendor should provide a copy of their policy or at least a detailed summary.