In a recent article, I highlighted that the cyber insurance suppliers have in place may not extend to cover broad indemnities offered by the supplier for cyber and other GDPR-related risks. But what, I have been asked since, is the right position for a customer to take?
Clearly some take the view that customers should seek to pass liability for cyber and GDPR-related risks down their supply chain for incidents caused or contributed to by their suppliers, even if suppliers may have difficulties obtaining insurance cover for the risks. I have certainly had occasion to negotiate similar positions for some clients.
However, there are a number of very practical reasons why a customer may be better off not seeking broad indemnities for cyber risks in their supply contracts:
1. Losses suffered by a customer for a cyber incident can often be recovered under normal principles of contract law.
If a supplier is in breach of its contractual obligations, then many resulting losses would ordinarily be recoverable for breach of contract. They are many and varied, but could extend from costs incurred in investigating and remedying the breach through to compensation paid to data subjects and various other losses. A breach of contract claim does not need to be backed up by an indemnity for a customer to recover under English law.
2. By requesting an indemnity, it tends to focus the supplier’s attention on the risks for which the indemnity is sought, often resulting in lower caps on liability, broader exclusions of specific losses and fewer substantive obligations than a supplier might otherwise agree without an indemnity.
In practice, I have tended to find that it may merely be better to clarify what types of losses should not be excluded as special, indirect or consequential than seeking a broad indemnity. Taking this approach will often help in negotiating higher caps on liability for cyber and GDPR breaches.
3. Where third party liabilities can be covered by the indemnity (such as data subjects claims and regulatory investigations and fines), the indemnitor typically seeks to maintain conduct of claims, which may be undesirable.
It is common practice for contracts to include conduct of claims provisions that apply to indemnities for third party claims. But in what circumstances would you want one of your suppliers to manage dealings with a regulator or claims from data subjects that have arisen as a result of the supplier’s default? In the timescales within which cyber incidents need to be investigated, notified and remediated, it simply isn’t feasible for suppliers to have conduct of claims and so having the flexibility of managing them and subsequently bringing a claim for damages is often preferable to a broad indemnity with a conduct of claims clause.
4. There are mechanisms under the GDPR for the allocation of regulatory responsibility and compensation to data subjects.
Processors (most suppliers) have direct responsibilities under the GDPR and it would make sense for regulators to take this into account in enforcement action. There are also specific mechanisms in the GDPR for compensation that is paid to data subjects to be shared between controllers and processors who are responsible for a breach. So it would seem that the legal regime provides some recourse for customers for cyber incidents that may be causes by a supplier.
5. Suppliers may build significant risk premiums into their pricing if broad indemnities are required for cyber and GDPR-related risks.
The fact is that, when faced with potentially uninsurable risks, most suppliers will have to apply risk premiums in order to justify agreeing to them. Suppliers have been asked to agree to many more restrictions on how they conduct their business as a result of the typical processor clauses that they are asked to accept. In contract renegotiations and competitive bid situations, you can be sure that asking for broad indemnities will factor into a supplier's pricing decisions.
6. Most suppliers will not agree to unlimited liability for cyber and GDPR-related risks, now that the scale of fines that regulators like the ICO are prepared to levy have become apparent.
Given that most suppliers will cap their liability, and the consequences to the customer of a significant incident may well exceed the cap with the supplier, then having an indemnity that ensures full coverage for every possible type of loss may well end up being theoretical. A damages claim for the capped amount of liability may well be the best remedy that the customer can get.
7. A customer should have comprehensive insurance in place in any case.
With the scale of fines major cyber incidents now extending into £10s and £100s of millions, it is inconceivable that a customer should be relying on its supply chain to cover all of its losses in the event of a breach.
Clearly it is important now to have appropriate contractual protections in supply contracts to cover cyber risks (see for example my recent comments in Computer Weekly). However, for all of the reasons given above, focussing on broad and often punitive indemnities may simply not offer the real benefits required to justify the time and costs of negotiating them. A customer may well put itself – and the supplier – in a better position without them.