Policy, Program and Procedures

 View Only
  • 1.  Minimum Insurance Requirements

    Posted 07-10-2023 11:13 AM

    Do you outline the insurance requirements for third parties to work with your organization? Is it in the format of a document you are willing to share with this group?

    We have a spreadsheet shared between corporate risk and legal, but it is not something we have been willing to share with third parties, let along internal relationship managers because it only shows minimum limits by coverage type.

    It would be great to understand what others do as I am getting pressured to produce something more formal that could be shared externally with our third parties.

    Thank you for your input.

    Mark Ewert, CPCU, CIC
    Director Vendor Management
    Penn National Insurance

  • 2.  RE: Minimum Insurance Requirements

    Posted 07-10-2023 12:46 PM

    Hi Mark,

    Thanks for raising this topic. What insurance coverage you require can reveal information about your organization and to some, whether it is a target opportunity.  The first decision will be what you can tell and how you can tell it so it doesn't compromise your organization. So, using an external standard (perhaps for your industry) to set a minimum coverage level would (a) help you have 3P coverage in place, and (b) not reveal specifically your protection/requirements since you quote a industry standard, etc.  

    Q1.  Are there standards out there on what is minimum by vendor (3P) category or risk level or criticality?  Does NAIC have any committee working on this?

    Q2.  (Rhetorical) What coverage was stated on your cyber insurance enrollment?  There are often questions used to determine the maximum time (with costs) your firm can be down before it is materially impacted. That info could help you create a coverage amount based on your vendor tiering.

    Q3.  What information must be excluded from any disclosure to a third party?  We have many 3Ps, cold callers, etc that ask "what are your initiatives?", "what is your security concerns/challenges?", "what are the most important security projects you are working on?".   In all cases, we universally refuse to discuss our security posture, architecture, assessment status, etc as that would give out information that our policies prohibit, in many cases, even under a NDA. So instead, I ask how they comply with NY DFS cybersecurity, review their SOC2, have them fill out cybersecurity questionnaires, and how their solution stands up to benchmarks that measure against OWASP, CSA CIS Benchmarks, CIS CCM, STAR, CMMC, MITRE, etc to determine if they fit, rather than tell them what they are "fitting into".   

    I would treat coverage requirements similarly.  

    - have  a questionnaire that addresses your expectations on risk, etc

    • judge 3P responsiveness your inquiry
      • the ability to be forthcoming and
      • having in place processes to respond quickly
      • C-level awareness

    Q4.  Regardless of what you reveal, do you have a NDA signed up front with third parties as prerequisite to receive your coverage requirements? This just like a SOC 2 Type II report where vendor is required to have NDA signed as per AICPA before releasing that SOC 2 Type II report.?

    With all the rich info that Venminder and the TTTP community offers, one lesson is clear -- any disclosure needs to have committed third party cover you, and not you having to ask them for coverage.   

    An analogy is a parent taking their coat to cover their child's shoulders as they come home on school bus because it was much colder at end of the day than when they left for school.  A solid 3P anticipates and offers what you need, or they may be showing they are very immature in risk management and buyer should beware.

  • 3.  RE: Minimum Insurance Requirements

    Posted 07-10-2023 01:05 PM

    I'm glad you asked this, Mark!  Hopefully some will be able to give input here.  This is actually something I'm asking for at our company because we've run into a few concerns with vendors not having the right type of insurance or the right coverage.  I'd love something concrete to be able to refer to, but our risk peeps are thinking it will stay as an ad-hoc type decision.  But my concern is we have nothing in policy or "print" to be able to use for pushback.  


    Jen Wheeler

  • 4.  RE: Minimum Insurance Requirements

    Posted 07-11-2023 08:02 AM

    As our industry (Clinical Research) is very regulated, there are also strict minimum requirements for insurance coverage. We also have these requirements included in our Master Service Agreements, and also require our critical and high risk vendors to provide a copy of their insurance certificates and updates. We implemented the latter, when a vendor forgot to inform us that their insurance company had ceased to cover for their work in Russia, Belarus and Ukraine when the war started, while a big part of their work was conducted in these countries.


    Tanja van Viegen PhD MBA
    senior Vendor Manager