Do I Need Cyber Insurance if I Use Third Party Data Consultants?

Caeva O'Callaghan | January 5th, 2021

You may think that you only need cyber insurance if you host and manage your data in-house. But what if you outsource that task to another firm – do you still need a cyber insurance policy?

Yes. Even if you use third party data consultants, you will need a cyber insurance policy in place.

This is because every data breach should be taken seriously, as they are potentially very harmful to your business and your customers and employees’ privacy.

In this article, we’ll answer questions such as:

  • Do I need to tell my cyber insurance about a third party data consultant?
  • Is my data consultant responsible if my company has a data breach?
  • Is cyber insurance essential when working with third party data consultants?

Bringing another company on board to help you manage your IT services can be a prudent business move. However, doing so may open up risks you may otherwise have not had to deal with.

Third party services and GDPR

The company who collected the data is defined under GDPR legislation as the Data Controller. The Data Controller has liability under GDPR, whether they store that information themselves or sub contract it out to a third party.

Put simply, if your company undertook the collection of your clients’, customers’ or your staff’s personal data, that means your company is liable for it.

Your contracted third party may hold the data, or have permission from you to host it, but this doesn’t mean they are ultimately responsible for it.

If a data breach happens, you may have some access to indemnity to the third party. But, you need to consider two things:

  1. These firms are often huge companies that hold a lot of firm’s data and the contract will limit the amount of indemnity given
  2. If one of these firms have a breach, odds are they have breached multiple companies’ data

In the second instance, there will be a lot of firms seeking indemnity simultaneously. The fact is the data services company may not have deep enough pockets or the resources to deal with all of these claims.

It is still your data – no matter who hosts it – you are ultimately responsible.

Data services and cyber crime

When you outsource hosting or management of private or sensitive information to a third party company, you are effectively placing it in the trust of someone who offers it as a service. On one hand, this is a good thing, because the quality and quantity of the service’s client base speaks to its ability to manage data effectively. But on the other hand, this means that their attention is split among multiple priorities.

It’s for this very reason that cyber criminals actively target data hosts and other IT service providers. If they can hack into their systems, they will likely be able to gain access to many more companies’ data at once.

In November 2020, for example, a cyber security expert discovered 63 million records left out in plain sight by Texas-based cloud application hosting provider, Cloud Clusters Inc. No hacking was necessary to view the plain-text emails and passwords. This incident demonstrates an egregious lack of security on the company’s part, which could have been potentially disastrous to millions of its customers.

Cyber insurance is top priority

The fact is, as a client and a customer, you can only take so many precautions when it comes to data protection. One half of your due diligence is to invest in a solid cyber insurance policy. The other is to thoroughly research your data storage provider, and ensure you have total faith in their ability to keep your data safe.

Targeting data storage providers and web hosts is a new trend in cyber crime which is gathering momentum. We can see this evidenced in a steep rise in these cyber insurance claims.

Even today, only 20% of businesses have a cyber insurance policy. Don’t get caught out – call us today to find out how we can protect your business, and your data, from cyber criminals.





All Information in this post is accurate as of the date of publishing.