In representing more than 900 IT clients across the United States, I have personally experienced the fact that many IT business owners think their business insurance covers client data loss situations or network security failures. I have news for you — they don’t. And it’s especially important for managed service providers working with healthcare, legal, or CPA clients to understand this.
All business insurance policies contain a professional services exclusion. This is why a doctor preforming surgery must go out and obtain medical malpractice coverage or a CPA firm preparing tax returns for their clients must get accountants professional liability. More than 70 classes of business need professional liability, errors and omissions (E&O), or malpractice insurance to protect their organizations in the event that a client holds them responsible for a service they provided — or failed to provide — that didn’t have the expected results.
Exceptions and exclusions to watch out for
But be careful. When you go out to shop for E&O coverage for your IT business, realize that not all policies are created equal. Some policies cover the costs associated with client data loss. Some do not. Some policies cover contingent bodily injury claims (which almost always include lawsuits alleging emotional distress and/or mental anguish) due to the disclosure of personally identifiable or protected health information. Many do not. Some policies will pay to notify the affected individuals after a breach has occurred, which is mandated by legislation based on a certain number of records exposed. Some do not.
And then there are the exclusions. Many carriers deny or challenge claims as it relates to network security incidents. Why? Some policies mandate that IT businesses “… perform due diligence on third-party vendors to ensure their safeguards of protecting data are adequate; auditing these vendors [Microsoft, Intronis, etc.] at least once per year….”
“Failure to regularly check and maintain security patches on its systems, [and] failure to regularly reassess its information security exposure and enhance risk controls…” could be used as a reason to deny or challenge a claim. Good luck getting Microsoft to let you audit their systems once a year. If you whitelist third-party software patches and do not upgrade a client overnight, you could be in big trouble.
Learn more about cyber liability
If you are going to provide IT services and work with certain regulated industries, don’t be afraid. You just want to make sure you are dealing with a specialist who understands your business and the insuring agreements/exclusions in the policy form.
Watch the webinar replay to learn more about the necessary coverages a managed service provider should carry when dealing with personally identifiable or protected health information for their clients.