Vendor incidents and contractual liability

• You own the relationship: customers and regulators usually look to the primary business, not the downstream vendor.
• Contracts allocate blame: service agreements can shift costs back to you, even if the vendor made the mistake.
• Regulators don’t care about vendors: privacy laws typically hold the data owner accountable for protection and notification.

From a legal and regulatory perspective, outsourcing data does not outsource responsibility.

• Indemnification clauses: Some contracts require you to indemnify the vendor for certain claims—even if the vendor was involved in the breach.
  This often appears in software, SaaS, and payment-processing agreements.
• Limitation of liability: Vendors frequently cap their liability to fees paid (e.g., 12 months of service costs).
  A $50,000 annual contract may cap recovery at $50,000—even if damages are far higher.
• Defense obligations: Some agreements require you to defend claims brought against the vendor arising out of your data or customers.

Contract language can matter more than fault when losses are allocated.

• Named insured issue: the vendor’s policy responds to their liability, not necessarily your losses.
• Exclusions and sublimits: contractual liability, fines, or regulatory costs may be limited or excluded.
• Priority of payment: the vendor’s own defense costs often erode limits before any indemnity reaches you.
• No additional insured status: many cyber policies do not allow additional insureds the way GL policies do.

A vendor “having cyber insurance” is not the same as you being protected by it.

Vendor insurance is a backstop at best—not a substitute for your own cyber coverage.

• Breach notification: legally required notices to customers, employees, or regulators.
• Forensics and response: determining what data was accessed, when, and how.
• Credit monitoring: often required or expected after exposure of personal data.
• Business interruption: downtime, lost revenue, and operational disruption.
• Reputation management: PR, customer communications, and trust rebuilding.

These costs arise fast—long before liability disputes are resolved.

• Indemnification scope: who indemnifies whom—and for what types of cyber claims.
• Liability caps: whether caps apply to data breaches or are carved out.
• Security standards: minimum technical and administrative safeguards the vendor must maintain.
• Breach notification timing: how quickly the vendor must notify you after discovering an incident.
• Insurance requirements: required cyber limits, retro dates, and evidence of coverage.

Contracts should assume breaches happen—and clearly state who pays when they do.

• Contractual liability coverage: confirm whether your cyber policy responds to assumed liability.
• Vendor incident coverage: some policies explicitly address breaches originating with third parties.
• Defense costs: ensure defense is outside limits or sufficiently funded.
• Incident response services: access to breach coaches, forensic teams, and legal counsel.

Policy wording varies widely by carrier. Cyber insurance is not interchangeable across markets.

Cyber insurance should be structured around your contracts—not just your IT stack.

If the vendor admits fault, am I still exposed?
Often yes. Customer claims, regulatory actions, and notification obligations usually target the data owner first.

Can I be named as an additional insured on a vendor’s cyber policy?
Rarely. Most cyber policies do not operate like general liability policies in this respect.

Is cyber insurance only for large companies?
No. Smaller organizations are often more vulnerable because they rely heavily on vendors and have fewer internal controls.