How you can properly transfer technology risk to your vendors

As cyber events continue to dominate the news cycle, companies struggle to balance new technologies that enhance business operations with the cyber risks these vendors create.  Companies also struggle to properly transfer technology risk to their vendors.  Finding the right risk balance is hard to achieve.  And there is no right or wrong way, so long as the company understands the how and why behind it.  Industries such as healthcare and financial institutions may take a more conservative approach to accepting cyber risk.  Other industries, like technology and retail, may be willing to take on more risk in exchange for operating efficiencies.

Managing cyber risk

There are four main ways companies manage risk:

1. Accept it
2. Transfer it
3. Mitigate it
4. Avoid it

All of these strategies are important parts of an enterprise risk management plan, but many times risk transfer dominates the conversation.

In an ideal world, a company would be able to transfer risk contractually, and would be confident that if a cyber incident or technology failure occurred, they would be successful in enforcing that contract.  In reality, it’s not that straightforward.

What if your vendor won’t assume cyber risk?

Clients often ask us how to handle vendors when the risks cannot realistically be transferred contractually.  Two recent discussions started with these questions:

“We’ve discussed moving to the cloud, but Amazon isn’t going to offer any indemnification language in the contract.  Should we avoid working with them?”

“We recently partnered with a small technology company, and in reality, if they suffer a technology failure or cyber incident, they will close their doors. Even though we have indemnification language in the contract, we’d be out of luck.  Should we no longer partner with them?”

There are many factors that go into answering these questions, but strictly from a risk transfer standpoint, we wouldn’t recommend relying solely on indemnification language and/or the financial strength of a vendor.  The real question comes down to “where does the financial risk sit”?  In the two cases above, the financial risk remained with the client.  So, if you aren’t transferring the financial risk contractually, but you still want to do business with the entity, how can you protect yourself?

Your Technology/Cyber Insurance Program

This is where your insurance program comes into play.  If the financial risk associated with the vendor remains on your balance sheet, E&O/cyber insurance can be used to absorb some, if not all, of the financial implications of a cyber incident.  That may mean exploring higher limits or adding coverages, but as technology companies continue to offer solutions that help drive business, these discussions can help you evaluate how best to transfer risk for your company.