Many small- to medium-sized businesses use technology service providers to manage their technological needs. This may include, but is not limited to:
In addition to outsourcing technological needs, it is a common exposure for small- to medium-sized businesses to outsource their business processes. In fact, over a third of small businesses outsource a portion of their business needs, with the most common being accounting, IT services, and digital marketing responsibilities. Tasks such as travel, training, human resources, payroll, and accounts payable and receivable are frequently outsourced and pose significant risks due to the personal information being passed to providers.
If the third-party service provider has an attack or outage affecting the policyholder, will the service provider indemnify the business owner? Many times, they do not and the expenses fall to the business owner.
If a cybercriminal is able to infiltrate the third-party service provider’s system, then it may have potential to become a large-scale attack by using the provider’s system to gain access to many businesses’ data. Large-scale attacks such as this have occurred and, in one example, caused many offices to suffer from lost data.
Business owners should review their contracts with providers to see who bears liability. Additionally, businesses who outsource any of their business needs may want to consider creating a vendor security due diligence checklist. This checklist will help business owners understand the level of sensitivity of information being handled on their behalf and is a quick way to obtain information regarding how service providers handle their system security measures. Information business owners should consider asking for in this checklist includes, but is not limited to:
When selecting cyber coverage for your policyholders, it is important to review the terms within the cyber policy to ensure your policyholder is protected if they sustain a loss due to an attack to their service provider. In addition, ensure your policyholders are equipped to understand the sensitivity of data being handled by, as well as the level of security and response capabilities of, their service providers.