Hi Mark,
Thanks for raising this topic. What insurance coverage you require can reveal information about your organization and to some, whether it is a target opportunity. The first decision will be what you can tell and how you can tell it so it doesn't compromise your organization. So, using an external standard (perhaps for your industry) to set a minimum coverage level would (a) help you have 3P coverage in place, and (b) not reveal specifically your protection/requirements since you quote a industry standard, etc.
Q1. Are there standards out there on what is minimum by vendor (3P) category or risk level or criticality? Does NAIC have any committee working on this?
Q2. (Rhetorical) What coverage was stated on your cyber insurance enrollment? There are often questions used to determine the maximum time (with costs) your firm can be down before it is materially impacted. That info could help you create a coverage amount based on your vendor tiering.
Q3. What information must be excluded from any disclosure to a third party? We have many 3Ps, cold callers, etc that ask "what are your initiatives?", "what is your security concerns/challenges?", "what are the most important security projects you are working on?". In all cases, we universally refuse to discuss our security posture, architecture, assessment status, etc as that would give out information that our policies prohibit, in many cases, even under a NDA. So instead, I ask how they comply with NY DFS cybersecurity, review their SOC2, have them fill out cybersecurity questionnaires, and how their solution stands up to benchmarks that measure against OWASP, CSA CIS Benchmarks, CIS CCM, STAR, CMMC, MITRE, etc to determine if they fit, rather than tell them what they are "fitting into".
I would treat coverage requirements similarly.
- have a questionnaire that addresses your expectations on risk, etc
- judge 3P responsiveness your inquiry
- the ability to be forthcoming and
- having in place processes to respond quickly
- C-level awareness
Q4. Regardless of what you reveal, do you have a NDA signed up front with third parties as prerequisite to receive your coverage requirements? This just like a SOC 2 Type II report where vendor is required to have NDA signed as per AICPA before releasing that SOC 2 Type II report.?
With all the rich info that Venminder and the TTTP community offers, one lesson is clear -- any disclosure needs to have committed third party cover you, and not you having to ask them for coverage.
An analogy is a parent taking their coat to cover their child's shoulders as they come home on school bus because it was much colder at end of the day than when they left for school. A solid 3P anticipates and offers what you need, or they may be showing they are very immature in risk management and buyer should beware.
Original Message:
Sent: 07-10-2023 11:13 AM
From: Mark Ewert
Subject: Minimum Insurance Requirements
Do you outline the insurance requirements for third parties to work with your organization? Is it in the format of a document you are willing to share with this group?
We have a spreadsheet shared between corporate risk and legal, but it is not something we have been willing to share with third parties, let along internal relationship managers because it only shows minimum limits by coverage type.
It would be great to understand what others do as I am getting pressured to produce something more formal that could be shared externally with our third parties.
Thank you for your input.
------------------------------
Mark Ewert, CPCU, CIC
Director Vendor Management
Penn National Insurance
------------------------------