Ever since the GDPR came into effect, it seems as if every contractual negotiation gets bogged down over issues of liability for cyber risks and other GDPR-related liabilities. The rationale for customers is clear: If you can pass the risk down your supply chain, then all the better. However, the position that such practices can put the supplier in is often precarious.
A common retort that we hear when suppliers are considering agreeing to an indemnity to close out a large customer deal is: we can agree to that, we have insurance! Alas, all may not be as it seems.
The crux of the issue is that indemnities regularly extend to liabilities that a supplier would not otherwise be liable for at law, even if the supplier does in fact cause or contribute to a cyber or regulatory breach. Examples abound, and are often dependent on the specific drafting of the indemnity. But liability can extend to:
- Regulatory fines that the customer suffers as a result of a cyber incident – even though the supplier may itself be fined for the same breach in proportion to its and its customers' own responsibility for it;
- Compensation paid to data subjects - even though the customer may well bear responsibility at law for the part of the compensation corresponding to their responsibility for the damage (as permitted under Article 82(4) GDPR);
- The costs of investigating and remedying the breach and of handling or defending actions by regulators or data subjects, even if the scale and costs of the investigation depend on the customer’s level of compliance and commercial decisions as to how to handle the incident;
- Various categories of loss that are typically excluded in commercial contracts, such as loss of anticipated savings, wasted management time and reputational damage;
- Even ransoms paid by the customer in the event of a ransomware attack might be within the scope of an indemnity.
Clearly customers can raise legitimate arguments as to why suppliers should bear some of these costs on a commercial basis. If the supplier is at fault, then surely the supplier should stand behind its services and put the customer back into the position it would have been had the supplier not caused or contributed to the breach?
The difficulty is that cyber and professional indemnity insurance policies routinely exclude cover for claims where the insured's legal liability arises from an agreement that the insured has entered into, such that the insured's liability is then increased beyond what it would otherwise have been. Insurers take a dim view of being asked to cover additional liabilities voluntarily assumed by the insured.
What does this mean in real terms?: If a supplier agrees to an indemnity that results in it having to pay money that it would not otherwise have to pay at law, then its insurance coverage will be excluded.
The historic reason for this is that, in relation to third party liability, insurers have never sought to cover sums that an insured simply agrees to pay. The insurer will never have liability for payment of the price to be paid as part of a commercial bargain, for example. Liability for liquidated damages for late delivery and agreed service credits for service level failures are all excluded from insurance coverage as a result of this common exclusion.
That does not mean that ALL of the liability that a supplier might suffer under an indemnity for cyber risks would be excluded from cover. In many cases, if an indemnity covers liability that the supplier would have due to its negligence or breach of requirements to have in place appropriate technical and organisational security measures, as required by law, then insurance policies may well cover those liabilities. The problem is that there is huge potential for insurers to dispute cover where the scope of the indemnity is too broad.
The customer, on the other hand, if properly insured for cyber risks, may have its own insurance coverage in place to cover the additional liabilities for which it might be seeking an indemnity. These liabilities are first party liabilities of the customer that may be insured against under the customer's own cyber insurance policy, if the customer has sought appropriate insurance.
So when a supplier is asked to stomach a broad indemnity, the answer should really be that the supplier should not have to assume liability that it cannot insure itself, when the customer may be in a position to procure its own insurance to cover the risks.
And, if an indemnity must be given, it should ideally be whittled down to cover liabilities arising from the supplier's own breach or negligence, come with a corresponding indemnity from the customer to allow appropriate apportionment of responsibility that an insurer may well cover, and be subject to appropriate caps on liability that reflect an appropriate level of risk for the supplier in the context of its business.
Agreeing to anything else may simply mean that the supplier is insuring the customer.