3 Approaches to Handling Contractual Cyber Risk for Staffing Firms

July 2016 • Lockton Companies

L O C K T O N C O M P A N I E S

MADELINE ALLEN, JD, ARMAccount Executive

816.960.9667mallen@lockton.com

RUTH METZNER, ARM, CPCUVice President

Senior Account Executive816.960.9409

emetzner@lockton.com

Network security and privacy risks, better known as cyber risks,

are changing rapidly. Businesses are trying to effectively address

this exposure by implementing strong IT security systems,

purchasing insurance policies, and negotiating contract language.

Cyber risk presents a unique challenge for temporary staffing firms. First and foremost, staffing companies possess a large amount of personal applicant and employee data, which is a significant exposure to the staffing company itself. This exposure is best addressed by having a robust IT security infrastructure in place and securing a network security and privacy insurance policy.

Another element of cyber risk that is becoming more prominent is contractual third-party cyber risk. This exposure is finding its way into staffing contracts and can pose a significant risk to staffing firms. A staffing firm needs to carefully review and be aware of what it is signing when the contract is addressing temporary placements working exclusively on its client’s system or network.

Contractual third-party cyber

risk is finding its way into

staffing contracts and can

pose a significant risk to

staffing firms.

How can you combat contractual third-party cyber risk? See the infographic on page 2.

2

More contracts are outlining specific requirements for the staffing firm to have and to certify cyber insurance coverage. The requirement to certify cyber coverage is not problematic (unless you do not currently carry the coverage); however, the requirement often goes beyond simply certifying a cyber insurance policy.

Some contracts ask for the staffing firm’s client to be an additional insured or additional named insured on the policy. The indemnification provisions in the contract are broad and would hold the staffing company responsible for a breach of the client’s system if the breach was caused by or arose from the actions of the temp worker while on-site.

What is wrong with this requirement?

The staffing firm has no control over the client’s system or the controls in place to safeguard the system. Also, temp employees are often working side by side with the client’s employees, so establishing fault may be a difficult task.

Cyber risk should be viewed no differently than the traditional exposures of a staffing firm. The client, not the staffing firm, controls and directs the worksite. The client makes the business decision to use a temporary employee. The staffing firm’s role is to provide qualified temporary employees to that client. The business risk and liability remains the responsibility of the client.

For example, if you place a temp employee to drive for a client, the primary auto liability stays with the client. If a temp is placed at a construction site, the general liability (specifically, completed operations) remains the primary responsibility of the client. Data security and privacy liability should be viewed no differently by a staffing firm.

It is important to note that if you currently have cyber coverage for your staffing firm’s corporate risk, coverage for this third-party requirement is not automatically included in standard cyber forms. Unless it has been specifically endorsed, your cyber policy will address a claim arising from the compromise of your own network or system but not arising exclusively from a breach of the client’s system (even due to your employees’ actions).

Contractual third-party cyber risk is finding

its way into staffing contracts and can pose a

significant risk to staffing firms.

More contracts are outlining specific

requirements for the staffing firm to have and to

certify cyber insurance coverage. Some contracts ask

for the staffing firm’s client to be an additional insured

or additional named insured on the policy.

WHAT IS WRONG WITH THIS REQUIREMENT?

The staffing firm has no control over the

client’s system or the controls in place to

safeguard the system. Also, temp employees

are often working side by side with the client’s

employees, so establishing fault may be a difficult task.

WHAT SHOULD YOU DO WHEN ENCOUNTERING THIS REQUIREMENT?

The first and most desirable approach is

to negotiate the requirement out of the

contract.

The second approach is to explain

that your role is to provide a qualified

temporary employee who fits the agreed-upon criteria,

and if you fail to fulfill that duty, you have staffing

errors and omissions coverage in place.

The final approach is to look into securing

the coverage necessary to meet the

contractual requirement.

Currently, the third-party coverage for breaches caused

by temporary staffers on-site at a client

is available in the market as an add-on or

endorsement to an existing cyber policy.

This should be a last-resort approach.

July 2016 • Lockton Companies

3

What should you do when encountering this requirement?

Approach #1

The first and most desirable approach is to negotiate the requirement out of the contract, utilizing the previous points. If that is not an option, consider requesting that the client allow its network to be underwritten by an outside third party (i.e., your insurance carrier) for you to secure adequate coverage. A client is not likely to jump at the chance to go through that process.

Additionally, if the client has cyber coverage in place, the client likely already has coverage for the actions of temporary employees included in its coverage form. It may not be aware that the coverage exists (or it may be looking for subrogation potential). Just be sure to confirm that the client’s coverage specifically includes temporary employees in the definition of “insured.”

Approach #2

The second approach is to explain that your role is to provide a qualified temporary employee who fits the agreed-upon criteria, and if you fail to fulfill that duty, you have staffing errors and omissions coverage in place. We recommend this as a second approach because while staffing E&O is in place to respond to negligent recruitment, hiring, and placement, you should review your policies to ensure that there are no specific exclusions that apply to a network security and privacy claim, such as a breach of confidential information or a data breach. Also, staffing E&O will respond to a claim that alleges you were negligent in placing the employee but not to a direct cyber claim made against you.

Approach #3

The final approach is to look into securing the coverage necessary to meet the contractual requirement. We recommend that all staffing firms have cyber coverage in place, but if you currently do not, placing the coverage will take time, and there will be a noticeable cost associated with securing the coverage. Currently, the third-party coverage for breaches caused by temporary staffers on-site at a client is available in the market as an add-on or endorsement to an existing cyber policy. This should be a last-resort approach.

4© 2016 Lockton, Inc. All rights reserved. KC: 20467

The insurance market’s willingness to provide third-party coverage will largely depend on the type of staffing you provide and the current market conditions. An insurance carrier will look at a warehouse placement who packs boxes much differently than the placement of an IT, bank, or hospital employee. The availability and price of the coverage will vary dramatically based on the industries for which you provide staffers. Finally, as stated earlier in this article, cyber risks and coverages are evolving rapidly, and the market’s appetite to cover a third-party cyber exposure may fade. It would not be advantageous to have numerous contracts with this requirement only to have the coverage disappear or become too costly in the future.

Every business is working to keep up with the rapid pace of changes in the world of network security and privacy. Traditional cyber coverage can protect a staffing firm from breaches arising out of its own system, and we recommend that every staffing firm carry that coverage. However, in the staffing environment, it’s important to be mindful of a client’s attempts to contractually transfer network security and privacy risks to your firm simply because your employee is on the client’s site and systems. As with many other business risks, the liability should remain with the party that exercises the most control.

Cyber risks and coverages are

evolving rapidly, and the market’s

appetite to cover a third-party cyber

exposure may fade. It would not be

advantageous to have numerous

contracts with this requirement only

to have the coverage disappear or

become too costly in the future.

The liability should remain with the

party that exercises the most control.