As society becomes ever more reliant on technology, and globalization expands the supply chain, cyberattacks involving third-party service providers are on the rise.
Some of the most high-profile cyberattacks of 2019 involved a third-party service provider. On May 31, 2019, the American Medical Collection Agency (AMCA) – a billing services provider – suffered a data breach that compromised the sensitive data of nearly 20 million patients. The hacked server impacted approximately 11.9 million patients of Quest Diagnostics and 7.7 million patients of LabCorp. Quest, LabCorp and AMCA were all named in class action lawsuits, with plaintiffs alleging unreasonable breach notification delays, a lack of reasonable data security and possible violations of the Health Insurance Portability and Accountability Act (HIPAA). Just two weeks after announcing the data breach, the AMCA’s parent company declared bankruptcy, citing a “cascade of events” leading to “enormous expenses that were beyond the ability for the debtor to bear”.
This case is important in the context of the evolving cyber risk landscape because it highlights how outsourcing to a third-party provider - whether a cloud provider, a hosted software provider, or a non-IT-related service provider - does not necessarily outsource the risk or the exposure. In fact, it can actually make matters more problematic should a cyber event occur, according to Matt Donovan (pictured), Senior Vice President, Cyber & E&O, at Worldwide Facilities.
Donovan will be discussing this cyber trend and more in a free webinar from Worldwide Facilities, LLC and At-Bay on Wednesday, June 17, at 2pm EDT. Alongside Michael Drummond, At-Bay Tech & Cyber Product Head, Donovan will discuss the evolving cyber risk landscape, providing insights into ongoing cyber threats like data breaches, ransomware and the risks associated with third-party providers, as well as best-practice cyber risk mitigation, comprehensive coverage solutions, and technology’s developing role in the cyber underwriting process.
Referring to the risks associated with third-party service providers, Donovan commented: “People are really starting to become aware that by migrating to the cloud, they have not migrated their exposure to the cloud as well. There are contractual agreements put into place with a cloud provider or a hosted software provider that typically limit the liability that the third-party provider will take on to the actual fees that were paid for the services.
“When cloud technology first became popular, a lot of people around the world said: ‘Great – cloud computing is cheaper, easier, more efficient, and maybe a more cost-effective way to deliver services.’ What they didn’t always think about was what might happen if something were to go wrong with that outsourced provider. However, as more breaches involving third-party providers hit the news, more brokers are saying: ‘Send me a copy of your agreement. You might think that you’re using a popular cloud service provider so you’re safe, but these big companies know how to limit their liability accordingly.’”
Increased use of third-party service providers has also led to more awareness around business continuity exposures and potential insurance coverage gaps – another topic Donovan and Drummond will touch on in the ‘Evolving Cyber Landscape – Trends, Claims and Tech’ webinar. In the past, many businesses thought of cyber insurance policies as existing only to cover breaches. But now, with the COVID-19 pandemic driving a largely remote workforce that is reliant on third-party providers for hosting and connectivity, businesses are starting to understand that any problem with their dependent provider could completely halt their own ability to perform services.
Read more: Capsicum Re develops ransomware solution
“A property policy would typically cover somebody for business interruption resulting from property damage. For example, if a furniture maker is reliant on lumber, but its lumber supplier burns to the ground, the furniture maker can make a business interruption claim. But what if the lumber provider gets hit with a cyberattack, which grinds it to a halt for two-weeks, and this interrupts the furniture maker’s ability to continue its business? There are a couple of cyber insurance markets that are starting to respond to business continuity risks like that,” Donovan told Insurance Business. “They’re starting to cover business continuity-type risks for dependent IT and non-IT providers, like the lumber example. The more people start to think through what their material dependencies are, the more they will start to realize that a cyber policy can help fill some of those gaps in coverage.”
Learn more about emerging data security and cyber risks, and the coverage solutions available to best defend against them by attending the free ‘Evolving Cyber Landscape’ webinar on June 17, 2020, at 2pm ET. Click here to register.