Hunton Retail Law Resource

In today’s digital world, data breaches due to vendor failures are becoming increasingly common, often resulting in costly fallout. While insurance can provide a safety net, the interaction between cyber insurance and vendor contracts is crucial for effective recovery and risk management. Vendor contracts should not be treated as mere formalities but as vital frameworks that contain specific, detailed provisions regarding data security obligations to ensure accountability and minimize vulnerabilities.

Attempts to recoup costs from vendors following cybersecurity events increasingly underscore the critical importance of detailed contracts that clearly define cybersecurity obligations and responsibilities. This issue is also becoming a focal point during cyber insurance policy renewals. Weak subrogation cases, where insurers have covered policyholders for incidents caused by vendors but later struggle to recover those costs, have prompted insurers to adopt more aggressive underwriting practices and heightened scrutiny during renewals. Insurers are now asking about contracts between policyholders and their third-party vendors as part of the underwriting process, making inquiries to assess potential exposure. Consequently, policyholders must prioritize precise and enforceable contractual provisions with vendors—not only to enhance their chances of recovering costs after an incident but also to facilitate smoother cyber insurance renewals and potentially secure more favorable policy terms.

The Blackbaud 2020 ransomware incident illustrates the significant challenges policyholders may face in cyber incident disputes when vendor contracts are vague or poorly defined, limitations that can severely restrict recovery options and hinder efforts to recoup losses. In this case, several nonprofit and higher education organizations insured by Travelers and Philadelphia Indemnity incurred substantial costs related to investigating and mitigating the incident. While the insurers initially covered these expenses, they later filed lawsuits against Blackbaud to recover the amounts paid, alleging breach of contract and negligence in an effort to recover their payments.

However, in Travelers Casualty and Surety Co. of America v. Blackbaud Inc., C.A. No. N22C-12-130 KMM and Philadelphia Indemnity Insurance Co. v. Blackbaud Inc., C.A. No. N22C-12-141 KMM, the insurers were ultimately unable to recover from Blackbaud. The court dismissed their claims, finding that the insurers failed to provide sufficient factual detail to support allegations of breach of contract or negligence. Specifically, the court noted that the insurers did not clearly identify the contractual provisions within the vendor contracts that would establish a direct link between the ransomware incident and Blackbaud’s obligation to indemnify the policyholders for their incurred costs.

To prevent these risks, policyholders should focus on enhancing recovery by considering the following proactive measures:

• Contract Review: Include specific, enforceable cybersecurity standards in vendor contracts.
• Indemnity Provisions: Ensure vendor contracts require the vendor to cover costs incurred by the company related to the breach.
• Breach Notification: The vendor contracts should contain clear timelines, cooperation clauses, and audit rights as it pertains to notifying a breach.
• Cyber Insurance Alignment: Consult with an insurance professional to understand coverage obligations under cyber insurance policy and vendor agreements to confirm there are no gaps in coverage or ambiguous language as to what is covered.

It is equally important for policyholders to understand the measures to take after a breach. Following a breach, policyholders must take decisive action to support insurance claims and facilitate recovery from vendors. This involves meticulously documenting all aspects of the incident, including keeping detailed records of:

• Incident Response Steps: record the action taken as a result of the breach, including the timing for such response.
• Third-Party Communications: maintain comprehensive logs of all interactions with vendors and third parties involved in the breach.
• Costs Incurred: compile detailed records for all expenses related to legal fees, IT services, forensic analysis, notification processes, and credit monitoring efforts to maximize recovery.

Cyber risk is a shared responsibility between cyber policies and vendor or third-party contracts. However, the legal system may not always hold third parties accountable. Thus, policyholders should not rely solely on insurance or vendors. Rather, the focus should be on proactive risk management and reactive risk management which put the insured in the best position for coverage.